System login issues
How do I recover the password of the admin account?
If you forget the password of the admin
administrator, you cannot recover it.
However, you can use the local console to reset the password. For details, see "Resetting passwords" in FortiWeb Administration Guide.
Alternatively, you can reset the FortiWeb appliance to its default state (including the default administrator account and password) by restoring the firmware. For details, see "Restoring firmware (“clean install”)" in FortiWeb Administration Guide.
Troubleshooting Login Issues
If the person cannot access the login page at all, it is usually actually a connectivity issue (see "Configuring the network settings" in FortiWeb Administration Guide) unless all accounts are configured to accept logins only from specific IP addresses.
If an administrator can connect, but cannot log in, even though providing the correct account name and password, and is receiving this error message:
Too many bad login attemptsor reached max number of logins. Please try again in a few minutes. Login aborted.
single administrator mode may have been enabled. For details, see "Enable Single Admin User login" in FortiWeb Administration Guide.
If the person has lost or forgotten his or her password, the admin
account can reset other accounts’ passwords. For details, see "Changing an administrator’s password" in FortiWeb Administration Guide.
Checking user authentication policies
In FortiWeb, users and organized into groups. Groups are part of authentication policies. If several users have authentication problems, it is possible someone changed authentication policy or user group memberships. If a user is legitimately having an authentication policy, you need to find out where the problem lies.
To troubleshoot user access
- In the web UI, go to User > User Group > User Group and examine each group to locate the name of the problem user.
- Note the user group to which the affected users belong, especially if multiple affected users are part of one group. If the user is not a group member, there is no access.
- Go to Application Delivery > Authentication and select the Authentication Rule tab to determine which rule contains the problem user group. If the user group is not part of a rule, there is no access.
- Go to Application Delivery > Authentication and select the Authentication Policy tab to locate the policy that contains the rule governing the problem user group. If the rule is not part of a policy, there is no access.
- Go to Policy > Web Protection Profile and select the Inline Protection Profile tab to determine which profile contains the related authentication policy. If the policy is not part of a profile, there is no access.
- Make sure that inline protection profile is included in the server policy that applies to the server the user is trying to access. If the profile is not part of the server policy, there is no access.
Authentication involves user groups, authentication rules and policy, inline protection policy, and finally, server policy. If a user is not in a user group used in the policy for a specific server, the user will have no access.
When an administrator account cannot log in from a specific IP
If an administrator is entering his or her correct account name and password, but cannot log in from some or all computers, examine that account’s trusted host definitions (see Trusted Host). It should include all locations where that person is allowed to log in, such as your office, but should not be too broad.
Remote authentication query failures
If your network administrators’ or other accounts reside on an external server (e.g. Active Directory or RADIUS), first switch the account to be locally defined on the FortiWeb appliance. If the local account fails, correct connectivity between the client and appliance (see System login issues). If the local account succeeds, troubleshoot connectivity between the appliance and your authentication server. If routing exists but authentication still fails, you can verify correct vendor-specific attributes and other protocol-specific fields by running a packet trace (see Packet capture).
Resetting passwords
If you forget the password, or want to change an account’s password, the admin
administrator can reset the password.
If you forget the password of the admin
administrator, you can either:
- Login via other account with
prof_admin
permission only by CLI console. - Remove the admin password from the backup configuration file by web UI.
To reset an account’s password
- Log in as the
admin
administrator account to web UI. - Go to System > Admin > Administrators.
- Click the row to select the account whose password you want to change.
- Click Change Password.
- In the New Password and Confirm Password fields, type the new password.
- Click OK.
The new password takes effect the next time that account logs in.
To reset the admin
account’s password
Option 1:
- Connect to the CLI console with an account of
prof_admin
permission. - Run the following commands:
config system admin
edit admin
set password a
end
Option 2:
- Login to the web UI with an account of
prof_admin
permission. - Go to Maintenance > Backup & Restore > Backup.
- Click Backup to download the backup file.
- Decompress the .zip file, and open the FortiWeb_system.conf file with the editor. You are recommended to use Notepad++.
- Locate the
config system admin
command lines, remove theset password XXX
line, and save the file.
- Go to Maintenance > Backup & Restore > Restore.
- Click Choose File to upload the updated backup file.
- Click Restore.