Home

How to Factory Reset Your FortiGate Firewall: A Complete Guide for Network Professionals

.

Factory resetting a FortiGate firewall is a critical procedure that network administrators may need to perform for various reasons: preparing a device for redeployment, troubleshooting persistent configuration issues, or recovering from lost administrative credentials. This comprehensive guide synthesizes technical documentation, community knowledge, and best practices to provide you with a reliable roadmap for safely restoring your FortiGate appliance to its original state. Whether you're handling a physical appliance like an FGT-40 or managing virtual instances, understanding the correct reset methodology is essential for maintaining network security and operational continuity.

The process varies significantly depending on your access level, FortiGate model, and specific circumstances. A misapplied reset can lead to extended network downtime, loss of vital security policies, or unintended service disruption. This article details multiple proven methods—from CLI commands to physical button procedures—and provides crucial preparatory and recovery steps to ensure a smooth transition back to factory defaults with minimal operational impact.

Understanding Factory Reset Methods

Factory resetting is not a one-size-fits-all operation. The appropriate method depends entirely on your current access to the device and its model. The primary goal is to erase all user-configured settings, including network policies, interface configurations, administrative credentials, and routing tables, while typically preserving the base FortiOS firmware and, in some cases, licensed features.

The table below outlines the primary reset methods and when to use each:

Method Best For Key Requirements Outcome
CLI execute factoryreset Standard procedure with admin access CLI access via SSH, console, or GUI widget Full configuration wipe, device reboots
Physical Reset Button Low-end models (e.g., 40F, 60E) with lost credentials Paperclip; physical access to appliance Full reset, admin account restored (no password)
Maintainer Account High-end models or situations with lost credentials Fortinet Support guidance; console access One-time recovery access to reset admin password
Partial Reset (factoryreset2) Resetting policies while keeping core network settings FortiOS 6.4+; CLI access Preserves interfaces, static routes, and VDOMs

Pre-Reset Checklist: What You Must Do First

Before executing any reset command, thorough preparation is non-negotiable.

  1. Backup Your Configuration: Always create a backup. From the CLI, run execute backup config flash <filename>. This file is your only lifeline to restore custom policies, objects, and VPN settings.
  2. Document Licensing: For virtual machines, the license is generally tied to the VM host. For physical appliances, FortiGuard subscriptions (AV, IPS, web filtering) are usually stored in flash memory and survive a reset, but verify this if repurposing the device. When in doubt, export license information or contact Fortinet support.
  3. Plan for Downtime: The device will reboot and block all traffic during the reset process. Schedule a formal maintenance window and communicate the expected outage to all stakeholders.
  4. Verify Access Method: Determine if you have functional GUI or SSH credentials. If not, identify your appliance model to see if it has a physical reset button or if you'll need to use the maintainer account recovery process.

Step-by-Step Reset Procedures

1. Resetting via CLI (The Standard Method)

This is the most common and straightforward method if you have administrative access.

  • Connect: Access the CLI via SSH, the physical console port (settings: 115200 bps, 8N1), or the built-in CLI console widget in the web GUI (Dashboard > Status > + Widget).
  • Execute Command: Type execute factoryreset and press Enter.
  • Confirm: You will see a warning prompt: This operation will reset the system to factory default! Do you want to continue? (y/n). Type y.
  • The device will immediately wipe its configuration and reboot. Upon restart, it will be at factory defaults.

2. Using the Physical Reset Button (For Lost Credentials)

Many low-end and mid-range models (like the FortiGate 30E, 40F, 60E, and 100F) feature a small pinhole reset button on the chassis.

  1. Power off the FortiGate unit.
  2. Insert a paperclip into the reset pinhole and press and hold the button inside.
  3. While holding the button, power the unit back on.
  4. Continue holding the button for approximately 10–30 seconds, until you observe the system status LEDs flash in an amber or red pattern.
  5. Release the button. The firewall will complete its boot process with a factory-default configuration. The default admin account will have no password.

3. Advanced and Partial Reset Options

  • Reset and Shutdown: Useful for cloning or imaging a clean device state. Use the command execute factoryreset-shutdown.
  • Partial Reset (factoryreset2): Available in FortiOS 6.4 and later, this command is invaluable for troubleshooting. It resets all security policies, objects, and most settings while preserving the system interface configuration, static routes, and VDOM structure. This often allows the device to remain reachable on the network after the reset. The command is execute factoryreset2.
  • Virtual Appliances: For FortiGate VMs, you can add the keepvmlicense flag to any reset command (e.g., execute factoryreset keepvmlicense) to ensure the VM license is not removed.

Post-Reset Configuration and Recovery

Once the reset is complete, the real work begins: rebuilding or restoring your secure environment.

  1. Regain Access: Connect to the default management IP address: 192.168.1.99/24 (typically on the port1 or MGMT interface). Log in via the web GUI using the username admin with a blank (no) password.
  2. Restore Your Configuration: Navigate to System > Maintenance > Backup & Restore > Restore. Upload the configuration backup file you created prior to the reset. Important: Ensure the firmware version of the backup matches the current version on the freshly reset device to avoid compatibility issues.
  3. Verify System State:
    • Check System > FortiGuard to confirm your subscriptions (IPS, AV, Web Filter) are active and updated.
    • Re-join the device to FortiManager or FortiAnalyzer if you use centralized management.
    • Manually reconfigure any network interfaces or routes if you used a partial reset or chose not to restore a full backup.

Frequently Asked Questions (FAQ)

How can I reset a FortiGate if I've lost all admin credentials?

You have two main options:

  1. Physical Reset Button: If your model has one (common on smaller appliances), this is the quickest method. Follow the paperclip procedure outlined above.
  2. Maintainer Account: For higher-end models without a reset button, Fortinet provides a hidden recovery account. Immediately after a reboot, connect via the console port and log in with:
    • Username: maintainer
    • Password: bcpbFG<serial-number> (where <serial-number> is the device's full serial number without hyphens). This account grants one-time access to reset the admin password or perform a factory reset.

Will a factory reset remove my FortiGuard licenses and support entitlements?

Generally, no. For physical appliances, licenses and subscriptions are typically stored in a dedicated, non-volatile memory area and will survive a factory reset. They should automatically re-sync once the device connects to Fortinet's update servers. For virtual machines, using the keepvmlicense flag with the reset command is recommended. However, it is always best practice to verify your license status in the support portal beforehand.

What is the difference between execute factoryreset and execute factoryreset2?

The standard execute factoryreset erases every user configuration, returning the device to an out-of-box state. The execute factoryreset2 command (FortiOS 6.4+) is a partial reset. It removes all security policies, firewall objects, and most settings but deliberately preserves core network infrastructure settings like IP addresses on interfaces, static routes, and VDOM configurations. This is extremely useful for troubleshooting policy-related issues without losing network connectivity to the device.

I don't have a console cable. Can I still perform a reset?

Yes, but your options are limited. If you have GUI access, you can use the built-in CLI console widget to run the execute factoryreset command. If you have SSH access with known credentials, you can use that. If you have no credentials at all and your model lacks a physical reset button, you will need to obtain a console cable (typically a USB-to-RJ45 cable) to access the maintainer account or initial boot console. There is no purely web-based reset for credential loss scenarios.

Professional Recommendation: Always treat a factory reset as a last resort. Exhaust other troubleshooting options first, and never skip creating a verified configuration backup. For high-availability pairs or critical production firewalls, develop and test a detailed reset and recovery runbook in a lab environment before needing it in an emergency.