Friday, August 28, 2009

Resetting a lost Fortigate Admin Password

If you have lost the admin password for a Fortigate you can reset it if you have physical access to the box.

Heads up: You have to type the userid and password within a 15 seconds of the login prompt first appearing. If you take too much time you should reboot the firewall again.
  • Connect the console cable to the Fortigate and fire up your favorite terminal emulator
  • Reboot the firewall unit.
  • At the console login prompt, type in "maintainer" as the userid.
  • Type in bcpbFGTxxxxxxxxxxxxx as the password. xxxxxxxxxxxxx will be the S/N of the Fortigate. The serial number is case sensitive so for example you should use FGT60B, not FGT60b. If that does NOT work try bcpbxxxxxxxxxxxxx as the password.
  • After logging in, change the admin password:
config system admin
edit admin
set password
next
end

44 comments:

John and Lisa said...

Does this only work on certain versions? Not having much luck, 4.0 MR1 interim release.

Polpot said...

it was working up to pre 3.0 (2.8 maybe) versions as far as I know.

Anonymous said...

Just done this on the latest release.

But you do have to power cycle the box and enter the userid immediately the login prompt comes up. Haveing the password in the paste buffer also makes for quick entry. But don't use ctrl-v with Hyperterm, it sends the ctrl-v to the host - use Edit, Paste to host.

NiltonF said...

Worked for me. Check that the format is 13 digits if the serial number is 12 add a dash - in my case bcpbFGT-XXXXXXXXXXXX worked

eldekal said...

does anyone knows if this procedure works with fortianalyzer too ?

thanks

Anonymous said...

Yes this procedure is vaild for Fortianalyzer as well.

Anonymous said...

does anyone knows if this procedure works with Fortimanager too?

Thanks

Anonymous said...

Yes, works with FortiManager as well.

Anonymous said...

Works on the latest firmware but immediately after restart.

Anonymous said...

works on 4.0 mr2 patch 8 for FGC80C
You must do this within 14 seconds of logon prompt
Also you must set the accprofile
so
config system admin
edit admin
set password
set accprofile super_admin
end

Sal said...

I've tried this numerous times on a 110c I have. tried multiple ways with multiple things left out. Any ideas how to get in this one? I can't find anything anywhere for 100 series devices.

Anonymous said...

I used these instructions to recover admin password on a Fortigate FG-30B and FG-60B. They worked exactly as described. Thank you very much for this post.

VertigoRay said...

Just tried with a FWF-60C. No dice.

Anonymous said...

Verified this on a FortiAnalyzer 100C and it works. The username is maintainer and the password is bcpbFLxxxxxxxxxxxxxx with the xxx's being the rest of the SN.

Anonymous said...

Fortigate 400: When I try your procedure it seems to work, but after nothing happens!
No requests for commands, nothing ... it waits 1 minute and after it log me off and request a login user!

Any idea, please?

Guna Sekar said...

I tried this solution for 200B, its works for me. How about Analyzer 100C?

Anonymous said...

Confirmed to work on 30B. The serial number is 16 characters long.
In my case I used bcpbFWFxxxxxxxxxxxxx. "FWF" is the first 3 characters of the serial number as recorded on the back of the device and xxx's as the remainder making a total of 16.

Dexter de jesus said...

I tried so many time but still this is what I always received.

maintainer
Password: ********************
The hashed password length is invalid
Login incorrect

Please kindly help me to reset the password..many thanks

Reinhold said...

Tried this tip with a Fortianalyzer 100C. Worked like a charm. Thanks for your infos !!

Anonymous said...

Hi, I am utterly useless or even a moron perhaps... but why doesn´t this work?

FGT50B3G10604933 login: maintainer
Password: ********************
Welcome !

FGT50B3G10604933 # config system admin
4832: Unknown action 3
Command fail. Return code -1

Ken said...

You may have vdom's configured on your fw.

you will need to set context with the 'config global' command. And then follow the password reset instructions from the top of the article.

Anonymous said...

I have a FortiWifi 60C. I consoled in to try this but it didn't work. What did work, was I cycled the power by pulling the plug and letting it restart. As soon as the login came back up, I pushed the reset button on the back right with a paperclip.

Anurag Goyal said...

IT IS NOT WORKING WITH 80C

Anonymous said...

ALSO IS NOT WORKING WITH FORTIWIFI 60 B

Anonymous said...

4-25-2013
I confirm having just done all of htese units 10 minutes prior to this post.

FGT60D
FGT110C
FW80CM

Few things I see wrong in the reposnces

Wifi is not FWF its FW

Boot your unit up viewing it post with a termnal. I have noticed FGT and FG between A,B,C, and D units.

The number of digits in SN vary. I have saw 12,13, and 16

Most of all you are all wrong because you are not considering how crappy and inconsustant fortinet really is. There Q&A is not good. Most of the units for any exact model have multiple hardware versions under the hood hence al the info in here is wrong and right. Just depends if you have a gen1 a rev2 and such !!

cfreukes said...

This MUST be done in the first 14 seconds after a reboot. Copy n paste the password

fabian_MexDF said...

Yo tengo un FortiWIFI 60A, el numero de serie empieza con FWF60A, no funciona este procedimiento, espero alquien tenga alguna solución

GOGETA24 said...

hallo firewall guru, this article really helped me, and I asked for permission to copy this article into my blog

Sebastian said...

Sure thing. As long as you link back to my blog :)

Anonymous said...

Muchas gracias, me funciono a la perfeccion. Tengo un FG 100C.

Muy importante tener en cuenta el tiempo para hacerlo, lo mejor es copiar la serie y pegarla en la consola.

Gracias de nuevo.

Kieran Wallace said...

Possibly a better way to explain it...

The unit will provide serial number on startup via Console.

Eg;
Serial number:FG300B39XXXXXXXX

Using username "maintainer", simply prepend "bcpb" to the string provided as the serial number. This let me in straight away.


Pavel said...

Gracias,
me ayudo mucho en FTG 100A

esmon said...

Tried resetting on a Fortigate 60 & it works like a charm!

Question though i still have an F 60 on production i want to recover the password. would it anyway affect running config? i dont have a backup config. im scared it would mess everything.

any help would be appreciated.

cheers!

Sebastian said...

You should be able to reset the password without losing your config.

Anonymous said...

Thanks !!!

It worked for me rebooting the unit on a 50B with user mainatiner and with no dash ver:04000010

Anonymous said...

We got same problem in Fotigate 60C. Main tip is
1)Kindly check your serial no is 13digit.If not kindly include dash(-) inbetween FGT and serial no
2)we need to enter username(maintainer) and password within 14 seconds once login ask.
Please follow it.

Anonymous said...

it works for me in a fortigate 50b,

Anonymous said...

It works on 100A (MR2 patch9). only thing is we need type username & password with 15 sec of the first appear the login prompt

Anonymous said...

Hi there!
Great blog, great help, thanks!

My case: FortiGate 100.
Worked ok with the original plan, 13 digits, + good posted tips here like to have the SN already copied to Clipboard (I Scanned the bar code to NotePad in order to be sure it’s the right SN).

Please forgive me my nearly offtopic question: I needed to change the pwd because form one moment to another the previous pwd was not longer accepted (and nobody has changed it). Does anybody know about this kind of bug in these FWs?

Thanks again.

Anonymous said...

Hi Guys,

Is it possible to reset password from remote location? I have physical hardware in our remote office. I have Serial Number but for now I'm unable to plug directly on Management Console (RJ45 to DB9)

Appreciate if anyone help me with this.

Many Thanks,

Anonymous said...

According to Fortinet support you cannot reset the admin password remotely. A console connection is required.

emorillo2 said...

Thank you, this worked for my FWF80CM running 4.0 MR2 Patch 2.
E.

Jorge Escarcega Bonilla said...

Funciono para mi de la siguiente forma en Fortigate 110C:

1.- Conectar en modo consola
2.- Apagar y reiniciar la unidad Fortigate dejandola conectada
3.- Cuando Reinicie tenemos solo 14 segundos para ingresar:
Usuario: maintainer
password: bcpbFG100C5G09108315

Es recomendable tener todo el password ya copiado en un archivo de texto para pegarlo de inmediato en la consola de la hyperterminal.

Eso es todo.

Jorge Escarcega Bonilla said...

Màs informaciòn aquì: http://docs-legacy.fortinet.com/fgt/sysadmin/Resetting_a_lost_admin_password.pdf