Fortinet Document Library

Version:


Table of Contents

Cookbook

6.4.0
Download PDF
Copy Link

Resetting a lost administrator password

Periodically a situation arises where your FortiMail unit needs to be accessed or the administrator account’s password needs to be changed but no one with the existing password is available. If physical access to the device is possible and with a few other tools, the password can be reset.

Note

This procedure will require the reboot of the FortiMail unit.

FortiMail versions 6.0.8 and 6.2.3 introduce a new CLI command allowing you to enable or disable administrator password recovery:

config system global

set admin-maintainer {enable | disable}

end

The following procedure requires admin-maintainer to be set to enable.

Administrators with physical access to a FortiMail unit can use a console cable and the maintainer administrator account to log into the CLI. The maintainer account allows you to log into a FortiMail unit if you have lost all administrator passwords.

Once logged into the FortiMail unit with the maintainer account, you can reset the passwords of super-admin profile accounts, or enter the execute factoryreset command to return the FortiMail unit to its default configuration. This can be useful if the admin administrator account was deleted.

Caution

The admin-maintainer command is enabled by default. The methodology for using the maintainer account is publicly available. As long as someone with physical access to the device has the serial number of the device, which is labeled on the device, the admin administrator account password can be changed and access to the FortiMail unit is granted.

If this is an unacceptable risk to your specific environment (especially where the hardware is not physically secured), you can disable the command. However, if the feature is disabled, and the password gets lost without having someone else that can log in as a super-admin, you will have no options to restore access.

Requirements:
  • Console cable
  • Terminal software such as Putty.exe (Windows) or Terminal (MacOS)
  • Serial number of the FortiGate device

Resetting a lost administrator password

Periodically a situation arises where your FortiMail unit needs to be accessed or the administrator account’s password needs to be changed but no one with the existing password is available. If physical access to the device is possible and with a few other tools, the password can be reset.

Note

This procedure will require the reboot of the FortiMail unit.

FortiMail versions 6.0.8 and 6.2.3 introduce a new CLI command allowing you to enable or disable administrator password recovery:

config system global

set admin-maintainer {enable | disable}

end

The following procedure requires admin-maintainer to be set to enable.

Administrators with physical access to a FortiMail unit can use a console cable and the maintainer administrator account to log into the CLI. The maintainer account allows you to log into a FortiMail unit if you have lost all administrator passwords.

Once logged into the FortiMail unit with the maintainer account, you can reset the passwords of super-admin profile accounts, or enter the execute factoryreset command to return the FortiMail unit to its default configuration. This can be useful if the admin administrator account was deleted.

Caution

The admin-maintainer command is enabled by default. The methodology for using the maintainer account is publicly available. As long as someone with physical access to the device has the serial number of the device, which is labeled on the device, the admin administrator account password can be changed and access to the FortiMail unit is granted.

If this is an unacceptable risk to your specific environment (especially where the hardware is not physically secured), you can disable the command. However, if the feature is disabled, and the password gets lost without having someone else that can log in as a super-admin, you will have no options to restore access.

Requirements:
  • Console cable
  • Terminal software such as Putty.exe (Windows) or Terminal (MacOS)
  • Serial number of the FortiGate device