CCNA 200-301

CCNP Enterprise

CCNP Security

CCIE Enterprise Lab

CCIE Security Lab

CCNP Service Provider

CCNP Data Center

CCNP Collaboration

CCIE DC Lab

1. Pre-Reset Considerations

Before you hit the reset, keep these in mind:

  • Backup Your Configuration
execute backup config flash <filename>

This ensures you can restore policies, objects, and VPNs later.

  • Export Licenses
    • VM instances: license is tied to the VM host; nothing extra needed.
    • Hardware: licenses (AV, IPS, FortiGuard) are generally preserved in flash, but consult Fortinet support if you’re repurposing high-end appliances.
  • Plan for Downtime
    The device will reboot—and block traffic—during reset. Schedule maintenance windows accordingly.
  • Know Your Access Method
    • GUI/SSH Available? You can use the CLI or GUI-to-CLI console.
    • No Credentials? You’ll need the maintainer account or the physical reset button (if present).

2. CLI-Based Factory Reset

For most FortiGates (including KVM/VM, physical appliances with CLI access), the easiest method is via the CLI console.

  • Connect to the CLI
    • Via SSH or the console port (115200 bps, 8N1).
    • Log in as admin (no password if untouched) or use your credentials.
  • Run the Factory Reset Command
execute factoryreset
  • You’ll see a prompt: pgsql
This operation will reset the system to factory default!
Do you want to continue? (y/n)
  • Type y and press Enter. The device immediately wipes its configuration and reboots.
  • Variant: Reset & Shutdown
    To reset to factory defaults and power off (useful for cloning or imaging): shell复制编辑execute factoryreset-shutdown Same confirmation follows. After reset, the unit halts.
  • Variant: Partial Reset (Keep Core Settings)
    On FortiOS 6.4+ you can preserve system/global settings, interfaces, VDOMs, and static routes: shell复制编辑execute factoryreset2 This resets all other configuration while keeping the above.

3. Reset via Web GUI (CLI Console Widget)

If you can still reach the web admin, use the built-in CLI console:

  1. Log In to the web GUI: https://<firewall-ip>.
  2. Go to Dashboard → Status, click + Widget, and add CLI Console.
  3. In the console pane, type:
execute factoryreset
  1. Confirm and wait for reboot.

Note: The web-based console is simply a terminal to the same CLI commands above.

4. Physical-Button Reset (Low-End Models)

Many FortiGate 30E/40F/60E/100F devices include a small RESET pinhole on the back. Use this when you have no admin credentials or no console access:

  1. Power Off the unit.
  2. Insert a paperclip into the RESET pinhole and press and hold.
  3. Power On the unit while still holding the button.
  4. Hold for 10–30 seconds, until you see the status LEDs flash amber or red.
  5. Release—the firewall will boot with factory defaults (admin user, no password).

Tip: On models without a labeled button (200E and above), verify via the datasheet whether a reset switch exists—some high-end appliances omit it.

5. Recovering from Lost Credentials: The Maintainer Account

If you’re locked out of admin but the device is running, Fortinet Tech Support can guide you to the maintainer account. This hidden account lets you recover access for a one-time use:

  1. Immediately after reboot, connect via console.
  2. Log in as:
  3. Once in, you can reset the admin password or execute factoryreset.
login: maintainer
password: bcpbFG<serial-number>
  • The prefix bcpbFG is fixed.
  • <serial-number> is the full unit serial (no hyphens).

6. Virtual Appliances & KVM

FortiGate VMs (on VMware, Hyper-V, KVM) behave similarly in CLI, but you may wish to preserve your VM license:

  • To keep the license:
execute factoryreset keepvmlicense
  • To reset & shutdown, keeping license:
execute factoryreset-shutdown keepvmlicense
  • Partial reset with license retention:
execute factoryreset2 keepvmlicense

On KVM, you can also re-import your VM image and apply a fresh ISO, but the CLI commands above are faster for pure configuration resets.

7. Post-Reset Steps

  1. Reconnect to the Default IP
    • Default management IP: 192.168.1.99/24 on the MGMT or port1 interface.
    • Admin user: admin with no password (blank).
  2. Reapply Your Backup
  3. Or via GUI: System → Maintenance → Backup & Restore → Restore.
  4. Re-enroll in FortiManager / EMS if you use centralized management.
  5. Verify Licenses & Subscriptions
    Check System → FortiGuard for subscription status.
  6. Reconfigure Network Interfaces & Routes if you didn’t restore a full backup (especially after factoryreset2).

8. Best Practices & Troubleshooting

  • Always Back Up First
    You cannot recover a wiped configuration without a backup.
  • Log Before You Wipe
    Export useful logs for forensic or troubleshooting reference.
  • Use Partial Reset When Possible
    factoryreset2 is ideal for wiping policies & objects but preserving network reachability.
  • Verify Hardware Differences
    Low-end vs. high-end appliances differ: check for a physical reset switch before trying the button method.
  • Plan Your Maintenance
    Resetting a production firewall can cause significant downtime; coordinate with stakeholders.
  • Document the Recovery Process
    Keep a runbook with serial-number formulas (bcpbFG…) and post-reset steps for next time.

Please follow and like us:
Tweet
fb-share-icon
Last modified: May 22, 2025

Author

Comments

Write a Reply or Comment

Your email address will not be published.