Fortinet black logo

Administration Guide

System login issues

System login issues

How do I recover the password of the admin account?

If you forget the password of the admin administrator, you cannot recover it.

However, you can use the local console to reset the password. For details, see "Resetting passwords" in FortiWeb Administration Guide.

Alternatively, you can reset the FortiWeb appliance to its default state (including the default administrator account and password) by restoring the firmware. For details, see "Restoring firmware (“clean install”)" in FortiWeb Administration Guide.

Troubleshooting Login Issues

If the person cannot access the login page at all, it is usually actually a connectivity issue (see "Configuring the network settings" in FortiWeb Administration Guide) unless all accounts are configured to accept logins only from specific IP addresses.

If an administrator can connect, but cannot log in, even though providing the correct account name and password, and is receiving this error message:

Too many bad login attemptsor reached max number of logins. Please try again in a few minutes. Login aborted.

single administrator mode may have been enabled. For details, see "Enable Single Admin User login" in FortiWeb Administration Guide.

If the person has lost or forgotten his or her password, the admin account can reset other accounts’ passwords. For details, see "Changing an administrator’s password" in FortiWeb Administration Guide.

Checking user authentication policies

In FortiWeb, users and organized into groups. Groups are part of authentication policies. If several users have authentication problems, it is possible someone changed authentication policy or user group memberships. If a user is legitimately having an authentication policy, you need to find out where the problem lies.

To troubleshoot user access
  1. In the web UI, go to User > User Group > User Group and examine each group to locate the name of the problem user.
  2. Note the user group to which the affected users belong, especially if multiple affected users are part of one group. If the user is not a group member, there is no access.
  3. Go to Application Delivery > Authentication and select the Authentication Rule tab to determine which rule contains the problem user group. If the user group is not part of a rule, there is no access.
  4. Go to Application Delivery > Authentication and select the Authentication Policy tab to locate the policy that contains the rule governing the problem user group. If the rule is not part of a policy, there is no access.
  5. Go to Policy > Web Protection Profile and select the Inline Protection Profile tab to determine which profile contains the related authentication policy. If the policy is not part of a profile, there is no access.
  6. Make sure that inline protection profile is included in the server policy that applies to the server the user is trying to access. If the profile is not part of the server policy, there is no access.
  7. Authentication involves user groups, authentication rules and policy, inline protection policy, and finally, server policy. If a user is not in a user group used in the policy for a specific server, the user will have no access.

When an administrator account cannot log in from a specific IP

If an administrator is entering his or her correct account name and password, but cannot log in from some or all computers, examine that account’s trusted host definitions (see Trusted Host). It should include all locations where that person is allowed to log in, such as your office, but should not be too broad.

Remote authentication query failures

If your network administrators’ or other accounts reside on an external server (e.g. Active Directory or RADIUS), first switch the account to be locally defined on the FortiWeb appliance. If the local account fails, correct connectivity between the client and appliance (see System login issues). If the local account succeeds, troubleshoot connectivity between the appliance and your authentication server. If routing exists but authentication still fails, you can verify correct vendor-specific attributes and other protocol-specific fields by running a packet trace (see Packet capture).

Resetting passwords

If you forget the password, or want to change an account’s password, the admin administrator can reset the password.

If you forget the password of the admin administrator, you can either:

  • Login via other account with prof_admin permission only by CLI console.
  • Remove the admin password from the backup configuration file by web UI.
To reset an account’s password
  1. Log in as the admin administrator account to web UI.
  2. Go to System > Admin > Administrators.
  3. Click the row to select the account whose password you want to change.
  4. Click Change Password.
  5. In the New Password and Confirm Password fields, type the new password.
  6. Click OK.

    The new password takes effect the next time that account logs in.

To reset the admin account’s password

Option 1:

  1. Connect to the CLI console with an account of prof_admin permission.
  2. Run the following commands:

    config system admin

    edit admin

    set password a

    end

Option 2:

  1. Login to the web UI with an account of prof_admin permission.
  2. Go to Maintenance > Backup & Restore > Backup.
  3. Click Backup to download the backup file.
  4. Decompress the .zip file, and open the FortiWeb_system.conf file with the editor. You are recommended to use Notepad++.
  5. Locate the config system admin command lines, remove the set password XXX line, and save the file.
  6. Go to Maintenance > Backup & Restore > Restore.
  7. Click Choose File to upload the updated backup file.
  8. Click Restore.

System login issues

How do I recover the password of the admin account?

If you forget the password of the admin administrator, you cannot recover it.

However, you can use the local console to reset the password. For details, see "Resetting passwords" in FortiWeb Administration Guide.

Alternatively, you can reset the FortiWeb appliance to its default state (including the default administrator account and password) by restoring the firmware. For details, see "Restoring firmware (“clean install”)" in FortiWeb Administration Guide.

Troubleshooting Login Issues

If the person cannot access the login page at all, it is usually actually a connectivity issue (see "Configuring the network settings" in FortiWeb Administration Guide) unless all accounts are configured to accept logins only from specific IP addresses.

If an administrator can connect, but cannot log in, even though providing the correct account name and password, and is receiving this error message:

Too many bad login attemptsor reached max number of logins. Please try again in a few minutes. Login aborted.

single administrator mode may have been enabled. For details, see "Enable Single Admin User login" in FortiWeb Administration Guide.

If the person has lost or forgotten his or her password, the admin account can reset other accounts’ passwords. For details, see "Changing an administrator’s password" in FortiWeb Administration Guide.

Checking user authentication policies

In FortiWeb, users and organized into groups. Groups are part of authentication policies. If several users have authentication problems, it is possible someone changed authentication policy or user group memberships. If a user is legitimately having an authentication policy, you need to find out where the problem lies.

To troubleshoot user access
  1. In the web UI, go to User > User Group > User Group and examine each group to locate the name of the problem user.
  2. Note the user group to which the affected users belong, especially if multiple affected users are part of one group. If the user is not a group member, there is no access.
  3. Go to Application Delivery > Authentication and select the Authentication Rule tab to determine which rule contains the problem user group. If the user group is not part of a rule, there is no access.
  4. Go to Application Delivery > Authentication and select the Authentication Policy tab to locate the policy that contains the rule governing the problem user group. If the rule is not part of a policy, there is no access.
  5. Go to Policy > Web Protection Profile and select the Inline Protection Profile tab to determine which profile contains the related authentication policy. If the policy is not part of a profile, there is no access.
  6. Make sure that inline protection profile is included in the server policy that applies to the server the user is trying to access. If the profile is not part of the server policy, there is no access.
  7. Authentication involves user groups, authentication rules and policy, inline protection policy, and finally, server policy. If a user is not in a user group used in the policy for a specific server, the user will have no access.

When an administrator account cannot log in from a specific IP

If an administrator is entering his or her correct account name and password, but cannot log in from some or all computers, examine that account’s trusted host definitions (see Trusted Host). It should include all locations where that person is allowed to log in, such as your office, but should not be too broad.

Remote authentication query failures

If your network administrators’ or other accounts reside on an external server (e.g. Active Directory or RADIUS), first switch the account to be locally defined on the FortiWeb appliance. If the local account fails, correct connectivity between the client and appliance (see System login issues). If the local account succeeds, troubleshoot connectivity between the appliance and your authentication server. If routing exists but authentication still fails, you can verify correct vendor-specific attributes and other protocol-specific fields by running a packet trace (see Packet capture).

Resetting passwords

If you forget the password, or want to change an account’s password, the admin administrator can reset the password.

If you forget the password of the admin administrator, you can either:

  • Login via other account with prof_admin permission only by CLI console.
  • Remove the admin password from the backup configuration file by web UI.
To reset an account’s password
  1. Log in as the admin administrator account to web UI.
  2. Go to System > Admin > Administrators.
  3. Click the row to select the account whose password you want to change.
  4. Click Change Password.
  5. In the New Password and Confirm Password fields, type the new password.
  6. Click OK.

    The new password takes effect the next time that account logs in.

To reset the admin account’s password

Option 1:

  1. Connect to the CLI console with an account of prof_admin permission.
  2. Run the following commands:

    config system admin

    edit admin

    set password a

    end

Option 2:

  1. Login to the web UI with an account of prof_admin permission.
  2. Go to Maintenance > Backup & Restore > Backup.
  3. Click Backup to download the backup file.
  4. Decompress the .zip file, and open the FortiWeb_system.conf file with the editor. You are recommended to use Notepad++.
  5. Locate the config system admin command lines, remove the set password XXX line, and save the file.
  6. Go to Maintenance > Backup & Restore > Restore.
  7. Click Choose File to upload the updated backup file.
  8. Click Restore.