FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable
Article Id 196987
Article
Description

If you cannot log into your FortiGate unit because you have forgotten or lost your administrator account password, you can use the information in this article to regain access to your FortiGate unit.

If you are a registered FortiGate user, you can always contact Fortinet Technical support to obtain a procedure for resetting your administrator account password. See the related article at the end of this page "Contact Fortinet Technical Support" for contacting a support center near you.

You can also attempt to use the information in this article to regain access to your FortiGate unit and (if possible) reset your administrator account password yourself. The procedures in this article are do-it-yourself procedures that have some limitations and require some technical knowledge. These procedures also require you to use a TFTP server to install a new firmware image on your FortiGate unit.

This article contains two parts:

  • Part 1: Resetting your FortiGate unit to factory defaults. Use the information in this part to reset your FortiGate unit to factory defaults. Resetting to factory defaults means that you will be able to log onto your FortiGate unit using the admin administrator account with no password. Resetting to factory defaults also means you will loose all of your configuration settings. This is where part 2 comes in.
  • Part 2: Restoring your FortiGate configuration. If you have a previously backed up configuration (stored in a configuration file), once you have access to your FortiGate unit you can restore this configuration, regaining some or all of your lost configuration settings. If you have forgotten the passwords of the administrator accounts in the backup configuration you can edit the configuration file before restoring it and remove the forgotten passwords. You can add new administrator accounts passwords after you have restored the configuration. (This will not work if you have encrypted the configuration file because you cannot edit encrypted configuration files.)
Components

A FortiGate unit (any model) running FortiOS 3.0.

Steps or Commands

Part 1: Resetting your FortiGate unit to factory defaults

Even if you cannot log into your FortiGate unit you can use the information in the related article at the end of this page "Loading FortiGate firmware using TFTP" to install firmware on your FortiGate unit from a TFTP server.

When the new firmware is installed the FortiGate unit configuration is restored to factory defaults. All of your configuration settings will be lost, but you can log into your FortiGate unit using the admin administrator account with no password.

Part 2: Restoring your FortiGate configuration

If you have previously backed up your FortiGate configuration, after resetting your FortiGate unit to factory defaults you can restore this configuration. Restoring the configuration makes it easier to get your FortiGate unit back up and running again.

If you have not backed up your configuration for some time you will have to make additional configuration changes after you have restored this configuration. If you have a recent backup you may not have to make any changes at all to have your FortiGate unit up and running again.

Before you restore the configuration you should edit the configuration file with a text editor to remove administrator account passwords. Then when you restore the configuration you will be able to log into the FortiGate unit using an administrator account with no password.

The FortiGate configuration file contains the CLI commands required to configure the FortiGate unit. Some knowledge of the FortiGate CLI may be required to edit the configuration file. Also, configuration files use Line Feed (LF) to terminate text lines and not Carriage-Return/Line Feed (CRLF). CRLF is used by most Windows text editors. You may not be able to edit your configuration file correctly in some Windows text editors (such as Windows Notepad). You must edit the configuration file with a text editor that displays the configuration file correctly (see the example below). You can use Windows WordPad for this or any text editor that can edit text files containing lines that end with LF (such as many of the free text editors available on the Internet). When you save changes to the configuration file, remenber to save the file as a text file (and not in another format such as RTF).

Note: You cannot edit encrypted configuration backup files. This procedure will not work if all of your back up configuration files are encrypted.

To restore your FortiGate configuration:

  1. Find the configuration file and make a copy of it.
  2. Open the configuration file with a text editor.
  3. Find the config system admin section of the configuration file. This section of the file contains configuration settings for administrator accounts. For each account the configuration file includes a set password line. For example, for settings for the admin administrator account could be similar to the following:
  4. config system admin
    edit "admin"
    set accprofile "super_admin"
    set vdom "root"
    config dashboard
    edit "sysinfo"
    set column 1
    next
    edit "licinfo"
    set column 1
    next
    edit "jsconsole"
    set column 1
    next
    edit "sysres"
    set column 1
    next
    edit "sysop"
    set column 2
    next
    edit "alert"
    set column 2
    next
    edit "statistics"
    set column 2
    next
    end
    set password ENC <scrambled_characters>
    next
    end

  5. For at least one administrator account, delete the entire line that begins with set password. You can remove the set password line for all or just one administrator account.
  6. Save the configuration file. Make sure that you save the file as a text file.
  7. Restore the configuration file by logging into the FortiGate unit web-based manager, going to System > Maintenance and using the Restore options to restore the configuration from the Local PC. The FortiGate unit should upload the configuration file and restart using the new configuration.
  8. Log into the FortiGate unit using the administrator account that you removed the password from. Enter the administrator account name with no password.
  9. Add a password for all administrator accounts that now have no password.
  10. Review your FortiGate configuration to make sure all required settings have been restored. Make additional configuration changes as required.

Related Articles

Technical Tip: Formatting and loading FortiGate firmware image using TFTP