Resetting a lost Admin password


Periodically a situation arises where the FortiGate needs to be accessed or the admin account’s password needs to be changed but no one with the existing password is available. If you have physical access to the device and a few other tools the password can be reset.

Warning: This procedure will require the reboot of the FortiGate unit.


In newer versions of the BIOS, you can expect some changes to the behaviour of the maintainer account. These changes will include:

  • The countdown timer for how log you have to enter the credentials has increased. Starting from when the device powers up, you will have 60 seconds instead of 30.
  • Using the maintainer account and resetting a password cause a log to be created; making these actions traceable for security purposes.
  • The account will be able to reset the password for any super-admin profile user in addition to the default admin user. This takes into account the possibility that the default account has been renamed.
  • The only thing the maintainer account has permissions to do is reset the passwords of super-admin profile accounts.

You will need:

  • Console cable
  • Terminal software such as Putty.exe (Windows) or Terminal (MacOS)
  • Serial number of the FortiGate device


Step #1

Connect the computer to the firewall via the Console port on the back of the unit.

In most units this is done either by a Serial cable or a RJ-45 to Serial cable. There are some units that use a USB cable and FortiExplorer to connect to the console port.

Virtual instances will not have any physical port to connect to so you will have to use the supplied VM Hosts’ console connection utility.

Step #2

Start your terminal software.

Step #3

Connect to the firewall using the following:

Setting Value
Speed Baud 9600
Data Bits 8 Bit
Parity None
Stop Bits 1
Flow Control No Hardware Flow Control
Com Port the correct COM port

 Step #4

The firewall should then respond with its name or hostname. (If it doesn’t try pressing “enter”)

Step #5

Reboot the firewall. If there is no power button, disconnect the power adapter and reconnect it after 10 seconds. Plugging in the power too soon after unplugging it can cause corruption in the memory in some units.

Step #6

Wait for the Firewall name and login prompt to appear. The terminal window should display something similar to the following:

FortiGate-60C (18:52-06.18.2010)
Serial number: FGT60C3G10016011
CPU(00): 525MHz
Total RAM: 512 MB
NAND init... 128 MB
MAC Init... nplite#0
Press any key to display configuration menu...
reading boot image 1163092 bytes.
Initializing firewall...        
System is started.

Step #7

Type in the username: maintainer

Step #8

The password is bcpb + the serial number of the firewall (letters of the serial number are in UPPERCASE format)

Example: bcpbFGT60C3G10016011


On some devices, after the device boots, you have only 14 seconds or less to type in the username and password. It might, therefore, be necessary to have the credentials ready in a text editor, and then copy and paste them into the login screen. There is no indicator of when your time runs out so it is possible that it might take more than one attempt to succeed.

Step #9

Now you should be connected to the firewall. To change the admin password you type the following…

In a unit where VDOMs are not enabled:

config system admin
  edit admin
    set password 

In a unit where VDOMs are enabled:

config global
  config system admin
    edit admin
      set password 


 Good news and bad news. Some might be worried that there is a backdoor into the system. The maintainer feature/account is enabled by default, but the good news is, if you wish, there is an option to disable this feature. The bad news is that if you disable the feature and lose the password without having someone else that can log in as a superadmin profile user you will be out of options.

If you attempt to use the maintainer account and see the message on the console, “PASSWORD RECOVERY FUNCTIONALITY IS DISABLED”, this means that the maintainer account has been disabled.

Disabling the maintainer feature/account

Use the following command in the CLI to change the status of the maintainer account

To disable

config system global
  set admin-maintainer disable

To enable

config system global
  set admin-maintainer enable



Bruce Davis

Bruce Davis

Technical Writer at Fortinet
Bruce has been working with computers, and related technology, since before the World Wide Web was a thing. He has worked in system and network administration. He has even dabbled in technical support. He has made the switch to technical writing as part of his deep, dark and dastardly plan to make the arcane machinations of IT technology more easily understood by the poor folks who use it. That, and the voices in his head told him it was good idea. Never argue with the voices in your head. People will start to stare.
Bruce Davis

Latest posts by Bruce Davis (see all)

  • Was this helpful?
  • Yes   No
  • Anderson Vieira

    Is this procedure functional for a FortiAnalyzer VM?

  • bigmastet

    how can I reset the unit without maintainer account? admin-maintainer was disable. plz help me

    • Bruce Davis

      Unfortunately, there is no happy answer here. If the maintainer account was disabled and you have exhausted every opportunity to find out what the admin password is from other sources, the only option left is to reformat the hard drive and reinstall the firmware through the BIOS of the FortiGate unit. The interrupt to install the firmware takes place before you are asked for a password so this should be possible. However, this means that when the FortiGate boots up with the fresh firmware,it will be a blank slate with any existing config files wiped and replaced by the default configuration file.
      Hopefully you have a copy of the config file someplace. Just remember to install a version of the firmware that matches the version of what ever backup config file you are going to use.
      To reinstall the configuration without having an admin password, you will need to connect to the FortiGate through a console cable. I usually use a laptop that already has a TFTP server running on it so that I don’t have to worry about network connections beyond those on the computer I’m using.
      Sorry to not have happier news but it there was an easy answer, then the system wouldn’t really be secure.

      • bigmastet

        thx sir. one more. Do I must need the fortigate license to get the firmware? Unfortunately, my license has expired.

        • Bruce Davis

          The firmware is available at the support site, but the site requires an active account to access. If you have a valid account on you should be able to access the site and the firmware. If there are any issues you should contact either TAC or Customer Support.

  • Gusti

    Hi! This procedure works if I use FortiExplorer’s CLI? Thanks in advance!

    • Bruce Davis

      This feature does not work if you use the FortiExplorer’s CLI widget. The reason for this is that in order for the process to work, you have to access the BIOS before the firmware is loaded into memory. The FortiExplorer’s CLI is only available after the FortiGate has completed the boot process and the firmware is fully loaded

      • Gusti

        Thanks a lot!

      • Serge THILMANT

        Hi Bruce,
        Mayve can you help me?
        I found in box an old model, but I don’t remember the password.
        That’s a Fortigate 60 model ….I know more than 10 years old 🙂

        I hope you can help to recovr the password or doing a reset factory.


  • Scott

    Please confirm. does this just do the password reset? not a factory reset. correct?

    • Victoria Martin

      Hi Scott,

      Yes, the password is the only thing that is reset.

  • neo

    Does it work on FortiAP?

    • jcoles

      The FortiAP does not have a maintainer login account, only the admin account. If you have forgotten the login password that you set, you need to perform a hardware reset on the device to restore the factory default configuration. By default, the admin account has no password.

      • Jonathan George

        Does this procedure work with a Talkswitch 480VS unit?

        • Victoria Martin

          Hello Jonathan,

          You will have to contact Fortinet Support to reset the admin password for a Talkswitch unit.