PacketLoss.tech
ES Get in touch
fortigate troubleshoot

FortiGate Admin Password Reset on FortiOS 7.6 (60F Console Method)

· · 6 min read
FortiGate Admin Password Reset on FortiOS 7.6 (60F Console Method)

The Problem

You’re locked out of a FortiGate 60F running FortiOS 7.6. Nobody remembers the admin password. SSH is useless, the web GUI bounces you, and you need access now. This post walks through the only reliable recovery path: the physical console cable method using the built-in maintainer account.

Environment for this guide:

  • Device: FortiGate 60F
  • FortiOS: 7.6
  • Tool: PuTTY (or any serial terminal)
  • Access required: Physical access to the unit

Warning: This procedure requires physical access to the device. If you cannot get hands on the hardware, this method won’t work remotely.

Prerequisites

Before you start, have these ready:

  • RJ-45 to DB9 console cable (or USB console cable — the 60F uses a USB-C console port; verify in your environment)
  • Laptop with PuTTY or equivalent terminal emulator
  • Physical access to the FortiGate 60F
  • Power cycling ability (pull the power cord or use the physical switch)

Step 1 — Connect Your Console Cable

Locate the console port on the FortiGate 60F. On the 60F, this is a USB-C port labeled CONSOLE on the rear panel.

  1. Connect the cable from the console port to your laptop.
  2. Open Device Manager (Windows) or check dmesg (Linux) to identify which COM port was assigned.
  3. Open PuTTY and configure the serial connection:
Connection type: Serial
Serial line: COM3  (replace with your actual COM port)
Speed: 9600
Data bits: 8
Stop bits: 1
Parity: None
Flow control: None
  1. Click Open. You should see a blank terminal or the current login prompt. Hit Enter to confirm the connection is live.

Step 2 — Power Cycle the FortiGate

With your terminal window open and focused:

  1. Power off the FortiGate 60F (unplug the power cord or press the power button).
  2. Power it back on.
  3. Watch the terminal — you will see boot messages start to scroll.

You have a narrow window (approximately 14 seconds from the point the bootloader starts outputting text) to interrupt the boot process. Do not walk away.

Step 3 — Interrupt the Boot and Log In as Maintainer

As soon as you see boot output in the terminal, press any key to interrupt. You are looking for a prompt that looks like this:

Press any key to continue

or the device may proceed directly to the login prompt without a visible interrupt option depending on firmware build. If you miss the interrupt window, you will land at the standard login prompt — this is fine. Proceed to the next step.

At the login prompt, enter the maintainer credentials:

FortiGate-60F login: maintainer
Password: bcpb<SERIAL_NUMBER>

Replace <SERIAL_NUMBER> with the actual serial number of your unit printed on the label on the bottom of the device. The serial number is case-sensitive — enter it in uppercase exactly as printed.

Example:

Password: bcpbFGT60F0000000000

Critical timing note: The maintainer account is only available for a short window after boot — roughly 60 seconds on FortiOS 7.6. If you wait too long at the login prompt, the maintainer account will be disabled and you will need to reboot again.

If successful, you will land at the FortiGate CLI prompt:

FortiGate-60F #

Step 4 — Reset the Admin Password

Once you are in the CLI as maintainer, reset the admin account password:

config system admin
    edit admin
        set password <YourNewPassword>
    next
end

Replace <YourNewPassword> with a strong password that meets your security policy. There is no confirmation prompt — the command executes immediately.

Verify the change:

show system admin

You should see the admin user entry. The password hash will be visible but not the plaintext — that is expected.

Step 5 — Verify Access

Before closing the console session, open a browser or SSH client and confirm you can log in with the new credentials:

  1. Navigate to https://<FortiGate_IP> in a browser.
  2. Log in as admin with the new password.
  3. If successful, close the console session.

Troubleshooting

Error 1 — Login incorrect when using maintainer account

Cause: Serial number entered incorrectly, wrong case, or the timing window has expired.

Fix: Double-check the serial number on the physical label — it is printed on the bottom of the unit. Confirm you are entering it in uppercase immediately after the bcpb prefix with no spaces. If the window expired, power cycle the unit and try again within 60 seconds of the login prompt appearing.

Error 2 — No output in PuTTY terminal

Cause: Wrong COM port, wrong baud rate, or the cable is not seated properly.

Fix: Verify the COM port assignment in Device Manager. Confirm the baud rate is exactly 9600. Try reseating the console cable. If using a USB adapter, try a different USB port on your laptop and reinstall the adapter driver if needed.

Error 3 — Boot interruption window missed every time

Cause: The boot process moves fast and the terminal may not be focused when the window opens.

Fix: Before power cycling, click inside the PuTTY window to make sure it has focus. Hold down any key (spacebar works) as you apply power so the interrupt registers the moment the bootloader polls for input. Some builds of FortiOS 7.6 may not display an explicit interrupt prompt — proceed directly to the login prompt and use the maintainer credentials there.

Error 4 — maintainer account not available (login prompt only accepts admin)

Cause: On some FortiOS 7.6 builds, Fortinet has restricted the maintainer account window or the feature may behave differently depending on whether a management VDOM is configured.

Fix: Verify in your environment whether the maintainer account is enabled. Check Fortinet’s release notes for your specific FortiOS 7.6 build. If the maintainer account is completely unavailable, the only remaining option is a full factory reset via the bootloader menu, which will erase the configuration.

Error 5 — Password change command rejected with permission error

Cause: Attempting to modify an admin account that is tied to a remote authentication server (LDAP/RADIUS) or has accprofile restrictions.

Fix: Review the admin account configuration with show system admin. If the account uses remote authentication, you may need to either create a new local admin account or modify the authentication method. Run config system admin, edit admin, and verify the password-policy and accprofile settings are not blocking the change.

Conclusion

The FortiGate admin password reset process on FortiOS 7.6 comes down to three things: physical access, a working console connection at 9600 baud, and hitting the maintainer login within the boot window. The most common failure point is the serial number — uppercase, no spaces, entered fast. Once you are in, the password change is a single CLI block.

If recovery is your first step toward redoing the segmentation on this box — guest, IoT, and corporate sharing the same routing table is a common reason boxes get rebuilt — the next post worth reading is How to Configure FortiGate VDOM (FortiOS 7.4), which covers enabling multi-VDOM mode and the inter-VDOM link work. If the box was being used as a VPN concentrator and the SSL VPN portal is what got you locked out in the first place, the broader exit plan is in the FortiGate SSL VPN Migration Checklist (FortiOS 7.6). The full curated path through the FortiGate work on this site lives in the FortiGate Field Guide.

Share Twitter LinkedIn

Need help with this in production?

I take on FortiGate, Cisco, and Microsoft work end-to-end — multi-vendor migrations, troubleshooting that needs a second pair of eyes, and engagements that scope bigger than they first looked.

Discuss your scenario →

Continue reading

  1. How to Block Legacy Authentication in Microsoft Entra ID (2026 Guide)

    Step-by-step guide to blocking legacy authentication in Microsoft Entra ID using Conditional Access. Includes pre-flight reporting, break-glass setup, rollback, and real migration example.

    · 14 min read microsoft iam

  2. FortiGate IPsec Site-to-Site VPN to Cisco ASA on FortiOS 7.4

    Step-by-step guide to building an IKEv2 IPsec site-to-site VPN between a FortiGate 60F (FortiOS 7.4.4) and a Cisco ASA 5516-X (9.16(4)) using AES-256/SHA-256 and DH group 14. Includes CLI…

    · 12 min read cisco troubleshoot

  3. FortiGate SSL VPN Migration Checklist: What to Audit Before You Touch Anything (FortiOS 7.6)

    A senior engineer's pre-migration checklist for FortiGate SSL VPN to IPsec dialup or ZTNA. Covers firmware, endpoints, auth chains, network dependencies, and rollback planning for FortiOS 7.6.

    · 21 min read fortigate migrations