Resetting lost Fortigate admin password

Voiced by Amazon Polly

It happens we all lose passwords at times, or perhaps you joined an organization, and someone else set the password, and it didn’t get passed along to you. At this point, you have only one option. You must recover the password.

To accomplish this, you will have to have access to the firewall and have the ability to restart it. Also, you will need a Console cable or RJ-45-to-DB-9 or null-modem cable and a terminal emulation software such as PuTTY.

You will also need to know the unit’s serial number. We will use it for the password by adding bcpb in front of it. The username for this process will be maintainer.

The password is bcpb plus the serial number of the firewall (the letters of the serial number must be uppercase)
For example, bcpbFGT80B3Z25…… or bcpbFGT101FRG……

There is a 14 second or less window to type in the username and password. I recommend copying the password (bcpbSERIALNUMBER) in your clipboard and pasting it in after typing the username (maintainer). You won’t see an indication of typing. Paste it in and hit enter.

If you see this message on the console, “PASSWORD RECOVERY FUNCTIONALITY IS DISABLED”, then the maintainer account has been disabled. There is more on this below.

There is no indicator of when the time runs out. It might take more than one attempt to get in.

As soon as you see the following, input the user name and password.

Initializing firewall...
System is starting...
Starting system maintenance...
Scanning /dev/mmcblk0p1... (100%)
Scanning /dev/mmcblk0p3... (100%)

Now that you are in, you will want to rest the admin password by doing the following.

If vdoms are not enabled:

#config system admin
edit admin
set password <yourpassword>

If vdoms are enabled:

#config global
config system admin
edit admin
set password <password>

The maintainer account

The maintainer account is enabled by default, however, there is an option to disable this feature. If the feature is disabled and you lose the password is lost there isn’t another option to recover the system.

If you use the maintainer account and see this message on the console, “PASSWORD RECOVERY FUNCTIONALITY IS DISABLED”, then the maintainer account has been disabled.

Disabling the maintainer account:

The following command in the CLI changes the status of the maintainer account.


#config system global
set admin-maintainer


#config system global
set admin-maintainer

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *