You CAN and probably should rename/delete the default admin user on Fortigate, here is how

Many best practices in security and regulations (PCI-DSS, NIST 800-53) demand or recommend renaming/deleting the default administrative accounts that come with the equipment. And every Fortinet product comes with the admin account built-in. Some people are afraid to lose administrative access by such changes, but with the Fortinet Fortigate it is not the case - you can rename or delete this account without any bad consequences whatsoever. Here is how to do it on CLI of the Fortigate.

Before diving in to the config, you may want to know few facts about the procedure:

  • You cannot rename/delete the admin user while logged in with it.

  • You have to create first another user privileged enough (super_admin) to make changes to admin. This way Fortigate prevents you from locking yourself out of the management.

  • Just renaming the admin does NOT alter its password, so you can still log in with the existing one.

  • You can rename the user back to admin if you want to, i.e. the renaming is reversible.

  • If you delete admin, you can later create a new user named admin again.

Renaming the admin user to something else (here to original_admin)

  1. First, have to create a new user (fortiadmin, name is irrelevant) with super_admin access profile:

config sys admin
edit fortiadmin
set password s#cr#t
set accprofile super_admin
set trusthost1
  1. Now I can rename the admin

# config sys admin

(admin) # rename admin to original_admin
command parse error before 'admin' . <-- HAVE TO LOG OUT OF ALL SESSIONS OF admin FIRST
Command fail. Return code -61

FGT-Perimeter (admin) # rename admin to original_admin

FGT-Perimeter (admin) # show
config system admin
    edit "original_admin"
        set accprofile "super_admin"
        set vdom "root"
        set password ENC SH2vACIdY6Mn1jTArqaRkLrK5kRjdFSMOrFUwG5wY/MdGEQQfVOPeDq7vzVEZs=
    edit "fortiadmin"
        set accprofile "super_admin"
        set vdom "root"
        set trusthost
        set password ENC SH2/ivwkt6MPTQbJdStQmFrA6CAn73T86rjGEPka3ivoNfbVE6a6W2YlpBFjN8=

Delete admin altogether

FGT-Perimeter (admin) # del admin
FGT-Perimeter (admin) # end

Re-crete admin user

FGT-Perimeter # config sys admin
FGT-Perimeter (admin) # edit admin
new entry 'admin' added
FGT-Perimeter (admin) # set password s3cr3ButNot
FGT-Perimeter (admin) # set accprofile super_admin
FGT-Perimeter (admin) # end