Skip to content

Locked Out of Admin GUI

Symptom: can't log into the FortiGate admin GUI. Wrong password, forgotten password, account locked, Trusted Hosts blocking you, MFA broken, or the admin user got deleted.

Diagnose Path

Forgot password but still know username

Use console access:

  1. Console cable to FortiGate.
  2. At login prompt: <username> then <password>. If you remember EVEN ONE valid admin, log in and reset.
  3. If no valid creds at all → see Maintenance Mode below.

Account locked from failed attempts

Wait the lockout window (default 60 sec) and try again, OR unlock via another admin:

diagnose user banned-ip clear

Trusted Hosts blocking you

Your IP isn't in the admin user's Trusted Hosts. Use console or another admin to fix:

config system admin
edit <username>
    set trusthost1 <your-current-ip>/32
next
end

MFA broken (lost phone, etc.)

Console in as another admin and disable MFA for the user, OR use a backup recovery code if you stored one.

config system admin
edit <username>
    set two-factor disable
next
end

Maintenance Mode (last resort — no admin creds at all)

This is the FortiGate's "factory reset" via boot menu. Wipes config but lets you back in.

  1. Console cable in.
  2. Power-cycle.
  3. Press any key when boot prompt appears.
  4. Choose Format boot device OR TFTP firmware load — both wipe to fresh state.
  5. After reboot, log in as admin with blank password (factory defaults).
  6. Restore config from backup if you have one — but only the parts you need, NOT the admin accounts.

Recover the original admin password via backup (without wiping config)

If you have a recent config backup:

  1. Boot the FortiGate to factory defaults (Maintenance Mode).
  2. Restore the config — but BEFORE restoring, edit the backup file to remove the config system admin block, OR replace the admin password hash.
  3. Boot with the restored partial config + fresh admin.

This requires understanding the FortiOS config format. Easier: just factory reset and rebuild.

Hardcoded Maintenance Account (if enabled)

Some models support a hardcoded maintainer account at console — useful for "I lost the admin password" recovery. Requires:

  • Console cable access.
  • Knowing the serial number.
  • Specific timing window after boot.

Procedure:

  1. Reboot FortiGate.
  2. At login prompt, login as maintainer.
  3. Password: bcpb<serial-number> (case-sensitive).
  4. You're in with full access.

Note: maintainer access can be disabled by config; if disabled, this won't work. If you NEED maintenance recovery in your environment, ensure set admin-maintainer is enabled.