Fortinet 90 FortiWeb 5.0 Patch 6 Administration Guide
Changing the “admin” account password
The default administrator account, named admin, initially has no password.
Unlike other administrator accounts, the admin administrator account exists by default and
cannot be deleted. The admin administrator account is similar to a root administrator account.
This administrator account always has full permission to view and change all FortiWeb
configuration options, including viewing and changing all other administrator accounts. Its
name and permissions cannot be changed.
Before you connect the FortiWeb appliance to your overall network, you should configure the
admin account with a password to prevent others from logging in to the FortiWeb and changing
its configuration.
To change the admin administrator password via the web UI
1. Go to System > Admin > Administrators.
2. In the row corresponding to the admin administrator account, mark its check box.
3. Click Change Password.
4. In the Old Password field, do not enter anything. (In its default state, there is no password for
the admin account.)
5. In the New Password field, enter a password with sufficient complexity and number of
characters to deter brute force and other attacks.
6. In the Confirm Password field, enter the new password again to confirm its spelling.
7. Click OK.
8. Click Logout.
The FortiWeb appliance logs you out. To continue using the web UI, you must log in again.
The new password takes effect the next time that administrator account logs in.
To change the admin administrator password via the CLI
Enter the following commands:
config system admin
edit admin
set password <new-password_str> ''
end
exit
where <new-password_str> is the password for the administrator account named admin.
The FortiWeb appliance logs you out. To continue working in the CLI, you must log in again
using the new password. The new password will take effect only for newly initiated sessions
in the CLI or web UI.
Set a strong pas sword for the admin administrator acco unt, and change the password
regularly. Failure to maintain the password of the admin administrator account could
compromise the security of your FortiWeb appliance. As such, it can constitute a violation of
PCI DSS compliance and is against best practices. For improved security, the password should
be at least eight characters long, be sufficiently complex, and be changed regularly. To check
the strength of your password, you can use a utility such as Microsoft’s password strength
meter.