Fortinet - What to do if you are locked out of your FortiGate?
Fortinet fortigate
Who hasn't experienced this? You configure something on a FortiGate firewall, didn't pay proper attention and you no longer have access to the web interface. Or you have withdrawn the necessary rights from the only administrator account.
I no longer have network access to the Fortigate!
If you have locked yourself out of the network during configuration, you can still connect via SSH, if activated, or via a console cable using the command line.
For a console cable, a standard DB-9 to RJ45 cable is sufficient. If your device no longer has a serial connection, USB to RJ-45 cables are also available. All you have to do is look in the Windows device manager, for example, to see which COM port the cable has been assigned.
You can then use tools such as Putty to establish a connection. For a connection via the console port, Putty would have to be configured as follows:
- Serial line to connect to: Enter COM port
- Speed (baud): 9600
- Data bits: 8
- Stop bits: 1
- Parity: None
- Flow Control: None
When you then establish a connection, you can log in with your administrator account. When entering commands, you can use the tab key to auto-complete and enter a ? to display the currently available commands and parameters at any time.
For example, you can edit interfaces as follows:
config system interface
edit
Now you can view the current configuration of the network interface, find the error and make desired changes. For example, if you have deactivated access via HTTPS, you can reactivate it with the following commands:
set allowaccess http
set allowaccess https
At the end, always confirm with end so that the configuration entry is also saved.
You should then be able to access the FortiGate web interface without having to restart the FortiGate or reset it to factory settings.
I have locked myself out of my FortiGate Admin account!
What to do now? Reset to factory settings and start all over again? Backup the configuration after resetting the firewall to factory settings? Or is there perhaps even a third solution?
That was a rhetorical question, of course, because it does exist. Fortinet has built in a hidden account for emergencies, which can only be used under certain conditions:
- One must have direct physical access to the device.
- The serial number must be known. You will find it on a sticker on the unit.
- A computer with a console cable must be connected to the console port of the FortiGate unit.
You can then restore access with the following steps:
- Write down the serial number of the FortiGate unit in a text file, all letters must be in capital letters.
- Place the letters bcpb directly in front of the serial number. The letters here must be lower case. This is the password you need. Ideally, copy this to the clipboard.
- Establish a connection to the FortiGate via the console cable.
- Disconnect the FortiGate from the power, wait 30 seconds and reconnect the FortiGate.
- Once the boot process is complete and you are asked for a login, enter maintainer as the user name. Then enter the password or paste it from the clipboard.
You should now be logged into the maintainer account. If you now want to edit an admin account, enter the following:
config global (only necessary if VDOMs are active)
config system admin
edit admin
set password (to change password)
end
Please note that maintainer cannot create new admin accounts and the show command is disabled for the maintainer account. Therefore, you cannot view the current configuration via the maintainer.
If you are forced to deactivate such an emergency account for compliance reasons, you can do so in the following way:
config system global
set admin-maintainer disable
end
Warning: If you lose all administrative access to a FortiGate, you will not be able to restore it.