Many best practices in security and regulations (PCI-DSS, NIST 800-53) demand or recommend renaming/deleting the default administrative accounts that come with the equipment. And every Fortinet product comes with the
admin account built-in. Some people are afraid to lose administrative access by such changes, but with the Fortinet Fortigate it is not the case - you can rename or delete this account without any bad consequences whatsoever. Here is how to do it on CLI of the Fortigate.
Before diving in to the config, you may want to know few facts about the procedure:
You cannot rename/delete the
adminuser while logged in with it.
You have to create first another user privileged enough (
super_admin) to make changes to
admin. This way Fortigate prevents you from locking yourself out of the management.
Just renaming the
admindoes NOT alter its password, so you can still log in with the existing one.
You can rename the user back to
adminif you want to, i.e. the renaming is reversible.
If you delete
admin, you can later create a new user named
admin user to something else (here to
First, have to create a new user (
fortiadmin, name is irrelevant) with
config sys admin edit fortiadmin set password s#cr#t set accprofile super_admin set trusthost1 10.10.19.0/24 next
Now I can rename the
# config sys admin (admin) # rename admin to original_admin command parse error before 'admin' . <-- HAVE TO LOG OUT OF ALL SESSIONS OF admin FIRST Command fail. Return code -61 FGT-Perimeter (admin) # rename admin to original_admin FGT-Perimeter (admin) # show config system admin edit "original_admin" set accprofile "super_admin" set vdom "root" set password ENC SH2vACIdY6Mn1jTArqaRkLrK5kRjdFSMOrFUwG5wY/MdGEQQfVOPeDq7vzVEZs= next edit "fortiadmin" set accprofile "super_admin" set vdom "root" set trusthost 10.10.19.0/24 set password ENC SH2/ivwkt6MPTQbJdStQmFrA6CAn73T86rjGEPka3ivoNfbVE6a6W2YlpBFjN8= next end
FGT-Perimeter (admin) # del admin FGT-Perimeter (admin) # end
FGT-Perimeter # config sys admin FGT-Perimeter (admin) # edit admin new entry 'admin' added FGT-Perimeter (admin) # set password s3cr3ButNot FGT-Perimeter (admin) # set accprofile super_admin FGT-Perimeter (admin) # end