Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiGate / FortiOS 7.4.10 Administration Guide
    7.4.10
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.0

    Enhanced administrator password security

    Enhanced administrator password security

    The PBKDF2 hashing scheme with randomized salts is now used to store system administrator passwords on the FortiGate to enhance security. Previously the SHA256 hashing algorithm was used.

    With this change, a new command is available to maintain FortiOS downgrade:

    config system password-policy
    set login-lockout-upon-downgrade {enable | disable} 
end

    set login-lockout-upon-downgrade {enable | disable}

    Enable/disable system administrator login lockout after downgrade to FortiOS firmware that does not support safer passwords (default = disable).

    When disabled, system administrator passwords with SHA256 hash are kept after successfully converting to PBKDF2 hash. SHA256 hashed passwords are used after downgrading to a firmware version that does not support PBKDF2 hashed passwords.

    When enabled, system administrator passwords that are converted to PBKDF2 hash will immediately remove the SHA256 hashed password. Upon downgrading the FortiOS firmware to a lower version, where safer passwords are unsupported, the administrators will be locked out.

    When creating a new administrative user in FortiOS 7.6.1 or later, the PBKDF2 hashing scheme is used to store the password. When displayed in the CLI, the password is encoded with a prefix of PB2:

    # config  system  admin
(admin)# edit  admin2
new entry 'admin2' added
(admin2)# set accprofile  super_admin
(admin2)# set vdom  root
(admin2)# set password 123456
(admin2)# show
config system admin
    edit "admin2"
        set accprofile "super_admin"
        set vdom "root"
        set password ENC PB20jOHUbfWEI7eKFTnKkE/qBgE5md70OjpXqiHhHTxo48GnIZshrIq67dT1IUouJSxgEZ6NYeAdAS9vLHpZGlcpBmtfUbfFOa6qKaVAN+F9CM=
    next
end

    Upgrade

    To view system administrator passwords before and after upgrade to FortiOS 7.6.1:

    1. Before upgrade to FortiOS 7.6.1 or later, view the encoded password. The encoded password shows a SH2 prefix because it was hashed with the SHA256 algorithm:

      # show  system  admin
config system admin
    edit "admin1"
        set accprofile "prof_admin"
        set vdom "root"
        set password ENC SH2RHqyB8gaEKC10dzpgU6lZg7YSpnb21wWLFOtqzMlpyKJZyyq3ISFYPyIL/s=
    next
end

    2. Upgrade to FortiOS 7.6.1 or later. Each system administrator password hashed with SHA256 is stored on FortiGate until each system administrator successfully logs in to FortiOS.

      If a system administrator does not log in to FortiGate after upgrading to FortiOS 7.6.1 or later, their password remains saved as the SHA256 hashed password.

    3. Log in to FortiOS. The password is converted to a PBKDF2 hashed password.

    4. View the encoded password. The encoded password shows a PB2 prefix because it was hashed with the PBKDF2 algorithm:

      FortiGate login: admin1
Password:
Verifying password...
$ show  system  admin
config system admin
    edit "admin1"
        set accprofile "prof_admin"
        set vdom "root"
        set password ENC PB2a2X8D3DIt0gXbBXVdknLZb48BKrGTD50z//UrbpWAD5kpFdwqBKie0h8STxL6Db//wQ2ZWN/5FW3+DkX3+0nBE1RNbeTKSVi18WcFmSPDQM=
    next
end

    Downgrade

    To support downgrading to an older version that does not support the PBKDF2 hashed password, by default, the old SHA256 hashed password is still stored in the system after being converted to PBKDF2. This is controlled by the following setting that is disabled by default:

    config system password-policy
    set login-lockout-upon-downgrade disable 
end

    Downgrading will successfully restore the SHA256 hashed password and operations will continue uninterrupted.

    If the login-lockout-upon-downgrade option is enabled:

    config system password-policy
    set login-lockout-upon-downgrade enable 
end

    The SHA256 hashed password will be removed from the system as soon as it is converted to a PBKDF2 hashed password upon a successful login.

    During a downgrade operation, the system will display the following warning:

    # execute restore  image  ftp FGT_2601F-v7.6.0.F-build3401-FORTINET.out 172.16.106.105 username password
This operation will replace the current firmware version and reboot the system!
Do you want to continue? (y/n)y
Please wait...
Connect to ftp server 172.16.106.105 ...
Get image from ftp server OK.
Verifying the signature of the firmware image.
Image verification OK!
Warning: Installing image v7.6.0 from v7.6.1 is not a recommended upgrade path. Continuing with the upgrade may result in loss of configuration. Do you want to proceed?
Do you want to continue? (y/n)y
…
You are downgrading to a version that does not support safer passwords.
After downgrade, some administrative user (e.g., admin1) no longer will be able to login.
Do you want to continue? (y/n)

    Administrators can choose to proceed or abort this downgrade.

    Finally, if an administrator wants to restore the SHA256 hashed password for a downgrade, they can do the following:

    1. Disable the login-lockout-upon-downgrade option.

    2. Log out the current administrator.

    3. For each system administrator, log in to the FortiGate to generate the SHA256 hashed password by running the SHA256 hashing algorithm.

    Caution

    After administrator passwords are converted to PBKDF2 hashed passwords, loading the config file to an older version that does not support safer passwords will lock out the administrators.

    Previous
    Next

    Enhanced administrator password security

    Enhanced administrator password security

    The PBKDF2 hashing scheme with randomized salts is now used to store system administrator passwords on the FortiGate to enhance security. Previously the SHA256 hashing algorithm was used.

    With this change, a new command is available to maintain FortiOS downgrade:

    config system password-policy
    set login-lockout-upon-downgrade {enable | disable} 
end

    set login-lockout-upon-downgrade {enable | disable}

    Enable/disable system administrator login lockout after downgrade to FortiOS firmware that does not support safer passwords (default = disable).

    When disabled, system administrator passwords with SHA256 hash are kept after successfully converting to PBKDF2 hash. SHA256 hashed passwords are used after downgrading to a firmware version that does not support PBKDF2 hashed passwords.

    When enabled, system administrator passwords that are converted to PBKDF2 hash will immediately remove the SHA256 hashed password. Upon downgrading the FortiOS firmware to a lower version, where safer passwords are unsupported, the administrators will be locked out.

    When creating a new administrative user in FortiOS 7.6.1 or later, the PBKDF2 hashing scheme is used to store the password. When displayed in the CLI, the password is encoded with a prefix of PB2:

    # config  system  admin
(admin)# edit  admin2
new entry 'admin2' added
(admin2)# set accprofile  super_admin
(admin2)# set vdom  root
(admin2)# set password 123456
(admin2)# show
config system admin
    edit "admin2"
        set accprofile "super_admin"
        set vdom "root"
        set password ENC PB20jOHUbfWEI7eKFTnKkE/qBgE5md70OjpXqiHhHTxo48GnIZshrIq67dT1IUouJSxgEZ6NYeAdAS9vLHpZGlcpBmtfUbfFOa6qKaVAN+F9CM=
    next
end

    Upgrade

    To view system administrator passwords before and after upgrade to FortiOS 7.6.1:

    1. Before upgrade to FortiOS 7.6.1 or later, view the encoded password. The encoded password shows a SH2 prefix because it was hashed with the SHA256 algorithm:

      # show  system  admin
config system admin
    edit "admin1"
        set accprofile "prof_admin"
        set vdom "root"
        set password ENC SH2RHqyB8gaEKC10dzpgU6lZg7YSpnb21wWLFOtqzMlpyKJZyyq3ISFYPyIL/s=
    next
end

    2. Upgrade to FortiOS 7.6.1 or later. Each system administrator password hashed with SHA256 is stored on FortiGate until each system administrator successfully logs in to FortiOS.

      If a system administrator does not log in to FortiGate after upgrading to FortiOS 7.6.1 or later, their password remains saved as the SHA256 hashed password.

    3. Log in to FortiOS. The password is converted to a PBKDF2 hashed password.

    4. View the encoded password. The encoded password shows a PB2 prefix because it was hashed with the PBKDF2 algorithm:

      FortiGate login: admin1
Password:
Verifying password...
$ show  system  admin
config system admin
    edit "admin1"
        set accprofile "prof_admin"
        set vdom "root"
        set password ENC PB2a2X8D3DIt0gXbBXVdknLZb48BKrGTD50z//UrbpWAD5kpFdwqBKie0h8STxL6Db//wQ2ZWN/5FW3+DkX3+0nBE1RNbeTKSVi18WcFmSPDQM=
    next
end

    Downgrade

    To support downgrading to an older version that does not support the PBKDF2 hashed password, by default, the old SHA256 hashed password is still stored in the system after being converted to PBKDF2. This is controlled by the following setting that is disabled by default:

    config system password-policy
    set login-lockout-upon-downgrade disable 
end

    Downgrading will successfully restore the SHA256 hashed password and operations will continue uninterrupted.

    If the login-lockout-upon-downgrade option is enabled:

    config system password-policy
    set login-lockout-upon-downgrade enable 
end

    The SHA256 hashed password will be removed from the system as soon as it is converted to a PBKDF2 hashed password upon a successful login.

    During a downgrade operation, the system will display the following warning:

    # execute restore  image  ftp FGT_2601F-v7.6.0.F-build3401-FORTINET.out 172.16.106.105 username password
This operation will replace the current firmware version and reboot the system!
Do you want to continue? (y/n)y
Please wait...
Connect to ftp server 172.16.106.105 ...
Get image from ftp server OK.
Verifying the signature of the firmware image.
Image verification OK!
Warning: Installing image v7.6.0 from v7.6.1 is not a recommended upgrade path. Continuing with the upgrade may result in loss of configuration. Do you want to proceed?
Do you want to continue? (y/n)y
…
You are downgrading to a version that does not support safer passwords.
After downgrade, some administrative user (e.g., admin1) no longer will be able to login.
Do you want to continue? (y/n)

    Administrators can choose to proceed or abort this downgrade.

    Finally, if an administrator wants to restore the SHA256 hashed password for a downgrade, they can do the following:

    1. Disable the login-lockout-upon-downgrade option.

    2. Log out the current administrator.

    3. For each system administrator, log in to the FortiGate to generate the SHA256 hashed password by running the SHA256 hashing algorithm.

    Caution

    After administrator passwords are converted to PBKDF2 hashed passwords, loading the config file to an older version that does not support safer passwords will lock out the administrators.

    Previous
    Next