Thursday, 30 July 2015

SOP for Resetting Fortigate admin password





Resetting the Fortigate admin account’s password


       







The default administrator account, named admin, initially has no password.

Unlike other administrator accounts, the admin administrator account exists by default and cannot be deleted. This administrator account always has full permission to view and change all FortiRecorder configuration options, including viewing and changing all other administrator accounts. Its name and permissions cannot be changed.



maintainer’ account is enable by default.

The special hidden “maintainer” user login, which is used for password recovery. When enabled, the “maintainer” account can log in from the console after a hard reboot (power off, power on) using the password “bcpb” followed by the FortiGate unit serial number. eg. bcpbFG900A83901645649. You have limited time (15 to 30 seconds) to complete this login.


After changing admin password it will only take affect the admin password of the current configuration and the rest of your configuration file should be the same as before it reboot. FortiGate system configuration is automatically save the configuration after every change. By default is automatic save config.


How to reset lost admin password in Fortigate


Requirements:

The following equipment were used to test this scenario.

·         FortiGate Firewall
·         Console cable
·         Putty.exe


NOTE : This process will require the hard reboot (power off & on) of the FortiGate.


You have limited time (15-30 sec) to complete this login as user “maintainer” after the boot process. If you take too much time you have to hard reboot the device again.

While it is rebooting you can get the Serial Number from Putty. Just copy and paste it on the Notepad. Prepare username login (maintainer) and password (bcpd+SerialNumber) (eg. bcpbFG900A83901645649)  in the notepad for time saving.
Instead of typing it in just do it quickly copy & paste it from notepad. This will prevent the login from timing out.








admin Passoword Changing Procedure Steps 1 to 7



1.         Power off the FortiGate. Wait for at least 10 sec and then Power On the FortiGate.  (if power off and on very fast, there might be power trip or corrupt the system)
2.         Direct connect your Laptop to a serial console port using Putty.
3.         Wait until the Firewall name and login prompt to appears.
4.         Username login is maintainer                          
            Prepare user name and password in the notepad for time saving.
5.         Password is bcpb+SerialNumber (eg. bcpbFG900A83901645649)
Instead of typing it in just do it quickly copy & paste it from notepad that you have prepared. This will prevent the login from timing out.
6.         Press Enter to login. Now you will be connected to firewall. 
7.         Finally change the admin password. execute reboot (optional)



In a unit where vdoms (Virtual domains (VDOMs)) are not enabled:

config system admin
edit admin
set password <psswrd>
end


In a unit where vdoms are enabled:

config global
config system admin
edit admin
set password <psswrd>
end


By default FortiGate system configuration is automatically save the configuration after every change.




Enables or disables the special hidden “maintainer” user login, which is used for password recovery. Enable by default.

set admin-maintainer {enable | disable}



To clear the current admin password: Not for this scenario. Just for info.
(this is only for clear / no password for admin you need to know the old password)

config system admin
edit admin
unset password <old password>
end



Thank You.


Cheers! :)
Yan Linn Aung







Monday, 13 July 2015

DHCP Reservation, DHCP Exclusion and Static IP

Detect and Avoid IP Address Conflicts

From DHCP Server set the conflict detection to a value greater than 0.

Fix duplicate IP address conflicts on a DHCP network


DHCP Reservation, DHCP Exclusion and Static IP

DHCP Reservation 

Client use DHCP request and DHCP server assign that reserved IP address.
Client MAC address have to Map with IP address in the DHCP server Reservation List.




DHCP Exclusion

Client use Static IP address (Server, AD, DNS,..). and DHCP server is never assign that IP address to the DHCP request clients.
IP address or Range of IP are excluded in the DHCP server Exclusion list.



 Many applications require a static IP. If the server is configured to use DHCP, the application has no way of knowing that a reservation exists and may refuse to install. Also some applications tie their license to an IP address and therefore must be static as well.

 Laptops, phones, and any "mobile" devices should be reserved not static.
It requires no set up on the device and the server will reserve that address for that device.

 If you're referring to network devices like IP cameras and printers, reservations are definitely the way to go because you can add a comment in the reservation as to what the device is and where it's located. Depending on the device, this may be your only means of documenting that information within the system.

HOW TODHCP Reservation
This scenario IP address is already using as a DHCP client. Then assign it to Reserved.
DHCP reservation required to know Client MAC address to MAP with IP address.
Step 1:   Unique ID = MAC address

Step 2: Checking after reserved

Step 3: Adding Description for Management purpose

HOW TODHCP Exculsion
DHCP excluded IP address or IP range. It will never assign auto to DHCP client.
When client is Manually assign Static IP. DHCP server cannot see from Address Lease for that IP Address.
Step 1:   Exclusion the IP Address (only 1 IP address, just add in at Start IP only)

Step 2:   From Address Pool can see the excluded IP address

Step 3:   DHCP server cannot see Excluded IP Address from Address Lease

Step 4:   Ping to that Excluded IP address and test connectivity