FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article provides the details of effects when Maintainer account is disabled.
Solution The Admin user with physical access to a unit has been lost.
With this maintainer account: - The password of the admin account can be reset (if it exists). - The unit can be reset to the factory default configuration using the execute factoryreset command. This is the only way to get access to the unit if the admin account has been deleted.
The maintainer account is available publicly. If any person have the physical access to the unit, has the serial number of the unit, which is labeled on the unit, they can change the admin account password and access the FortiGate. Also, they can perform any changes as per their requirement.
It is the unacceptable risk in some circumstances, especially where the hardware is not physically secured. So, to avoid this risk the maintainer account can be disabled using the following setting:
# config system global set admin-maintainer disable end
Note. If this feature is disable and if anyone loses the administrator passwords too, then it will no longer be able to log into the unit. The only way to access the unit will be to start over with Flash format, a new firmware installation and default/backup configuration file. All the settings will be lost.
