HUAWEI USG6000E, USG6000, USG9500, and NGFW Module V500, V600 Troubleshooting Guide
Restoring the Administrator Password
This section describes how to restore the administrator password.
Password Recovery for the Console Port
If the Console port password is forgotten, you can log in to the device through Telnet or SSH by using a level-3 or higher administrator account to change the Console port password.
Telnet login has security risks. You are advised to log in to the device through SSH.
- Log in to the device through SSH by using account admin1 and then confirm the permission assigned to the administrator account.Run the display users command to view all login accounts. The account with the "+" mark is the current administrator account, and the number of the account is VTY 0.
<sysname> display users User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag 0 CON 0 47:47:45 no Username : Unspecified + 34 VTY 0 16:32:31 SSH 172.16.30.93 pass no Username : admin1
- Run the display user-interface command to view the permission of the administrator account. The command output shows that VTY 0 corresponds to level 15 and has the permission to change the Console port password.
<sysname> display user-interface Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int 0 CON 0 9600 - 15 15 P - + 34 VTY 0 - 15 15 A - ......
- Change the Console port password based on the authentication mode of the Console port.
- The Console port uses the password authentication mode.Change the Console port password to Admin@1234.
<sysname> system-view [sysname] user-interface console 0 [sysname-ui-console0] set authentication password Please configure the login password (8-16) Enter Password: Confirm Password:
- The Console port uses the AAA authentication mode.Change the password of account admin to Admin@1234.
<sysname> system-view [sysname] aaa [sysname-aaa] manager-user admin [sysname-aaa-manager-user-admin] password Enter Password: Confirm Password:
- The Console port uses the password authentication mode.
- Then you can uses the changed password or account/password to log in to the device through the Console port.
Password Recovery for the Telnet
This section describes how to recover the password for the Telnet.
With the Telnet protocol, you can remotely maintain and manage the device. If the password for the Telnet is forgotten, you can log in to the device only in other modes and re-configure the password.
The current system supports two authentication modes for Telnet login.
- AAA: log in with the user name and password.
- Password: log in with only the password.
VTY is the logical interface created for login through Telnet. VTY0 to VTY4 (or VTY0 to VTY14) are distributed to the administrators according to their login sequence. All the VTY interfaces are configured in the same way because the device cannot specify a VTY interface for a administrator.
After you access the configuration interface, you can view the authentication modes of VTY with the display current-configuration configuration user-interface command. You can change the password based on the original authentication mode, or reconfigure the authentication mode.
AAA Authentication Mode
<sysname> system-view [sysname] user-interface vty 0 4 [sysname-ui-vty0-4] authentication-mode aaa [sysname-ui-vty0-4] quit [sysname] aaa [sysname-aaa] manager-user admin1 [sysname-aaa-manager-user-admin1] password Enter Password: Confirm Password: [sysname-aaa-manager-user-admin1] service-type telnet [sysname-aaa-manager-user-admin1] level 15
After the configuration, you can log in to the device with user name admin1 and password.
Password Authentication Mode
<sysname> system-view [sysname] user-interface vty 0 4 [sysname-ui-vty0-4] authentication-mode password [sysname-ui-vty0-4] set authentication password Warning: The "password" authentication mode is not secure, and it is strongly recommended to use "aaa" authentication mode. Please configure the login password (6-16) Enter Password: Confirm Password:
After the configuration is complete, you can log in to the device with password.
Login User Name or Password Recovery for the Administrator (USG6000E/USG6000 and NGFW Module)
When the password of the console port is also forgotten and there is no other high-level administrator account on the device, you need to enter the BootLoader to recover the password.
- Connect the device through the console port and restart the device. When the message "Press Ctrl+B to break auto startup...3" is displayed during the device startup, press Ctrl+B within 3 seconds and enter the BootLoader password to access the BootLoader main menu.
![]()
- For USG6000E V600R007C00, The default password is available for the BootLoader. To improve security, press 6 to change the password in the main menu. For details about how to change the password, see Changing the BootLoader Password (USG6000E). Keep the new password safely. Use the new password to enter the BootLoader main menu.
- For USG6000E V600R007C20, By default, the BootLoader password is empty. When you log in to the system for the first time, the system prompts you to set the password. The password must be a string of at least eight characters, including at least two types of the following: uppercase letters, lowercase letters, digits, and special characters (such as ! @ # $ %). Keep the password secure. The following displays the BootLoader main menu after the password is set.
- For USG6000USG6000, The default password is available for the BootLoader. To improve security, you are advised to press 5 to change the password in the main menu. For details about how to change the password, see Changing the BootROM Password (USG6000 and NGFW Module). Keep the new password safely. Use the new password to enter the BootROM main menu.
- The default username and password are available in HUAWEI Security Products Default Usernames and Passwords. If you have not obtained the access permission of the document, see Help on the website to find out how to obtain it.
- BootROM is called BootLoader in the USG6305/6305-W/6310S/6310S-W/6310S-WL-OVS/6510/6510-WL. Key operations are the same.
For USG6000E, The following information is displayed:
Press Ctrl+B to break auto startup... 3 Enter Password:************ Main Menu 1. Default startup 2. Serial submenu 3. Ethernet submenu 4. Startup parameters submenu 5. File system submenu 6. Password manager submenu 7. Reset factory configuration 8. Reset factory password 0. Reboot Enter your choice(0-8):8 //Press 8 to enter the administrator password submenu.
For USG6000, The following information is displayed:
Press Ctrl+B to Enter main menu...3 Password: ******** ====================< Extend Main Menu >==================== | <1> Boot System | | <2> Set Startup Application Software and Configuration | | <3> File Management Menu... | | <4> Load and Upgrade Menu... | | <5> Modify Bootrom Password | | <6> Reset Factory Configuration | | <7> Reset Factory Password | | <0> Reboot | | ---------------------------------------------------------| | Press Ctrl+T to Enter Manufacture Test Menu... | | Press Ctrl+Z to Enter Diagnose Menu... | ============================================================ Enter your choice(0-7): 7 //Press 7 to enter the administrator password submenu. - Select to change the password and restart the system.For USG6000E, The following information is displayed:
NOTE: This operation will reset current password. Choose 'yes' to continue, or 'no' to stop and return. <1> Yes <0> No Enter your choice(0-1): 1 Password:************ //Enter the BootLoader Password Restoring factory password ...Done. Main Menu 1. Default startup 2. Serial submenu 3. Ethernet submenu 4. Startup parameters submenu 5. File system submenu 6. Password manager submenu 7. Reset factory configuration 8. Reset factory password 0. Reboot Enter your choice(0-8):1 //Press 1 to trigger system restart.
For USG6000, The following information is displayed:
NOTE: This operation will reset current passwrod. Choose 'yes' to continue, or 'no' to stop and return. <1> Yes <0> No Enter your choice(0-1): 1 ====================< Extend Main Menu >==================== | <1> Boot System | | <2> Set Startup Application Software and Configuration | | <3> File Management Menu... | | <4> Load and Upgrade Menu... | | <5> Modify Bootrom Password | | <6> Reset Factory Configuration | | <7> Reset Factory Password | | <0> Reboot | | ---------------------------------------------------------| | Press Ctrl+T to Enter Manufacture Test Menu... | | Press Ctrl+Z to Enter Diagnose Menu... | ============================================================ Enter your choice(0-7): 1 //Press 1 to trigger system restart.
If the following information and the user view are displayed, the device starts successfully.
Recover configuration begin ... Recover configuration end Press ENTER to get started. Warning: There is a risk on the user-interface which you login through. Please c hange the configuration of the user-interface as soon as possible. ************************************************************************* * Copyright (C) 2014-2020 Huawei Technologies Co., Ltd. * * All rights reserved. * * Without the owner's prior written consent, * * no decompiling or reverse-engineering shall be allowed. * ************************************************************************* Info: Please change the configuration of the password as soon as possible. <sysname>
![]()
Do not run the quit command in the user view. Otherwise, you need to restart the device again before re-setting the administrator password.
- Re-set the administrator password. Assume that the administrator is admin and the new password is Admin@12345.
<sysname> system-view [sysname] aaa [sysname-aaa] manager-user admin [sysname-aaa-manager-user-admin] password cipher Admin@12345 Info: You are advised to config on man-machine mode. [sysname-aaa-manager-user-admin] quit [sysname-aaa] quit [sysname] quit <sysname> quit
![]()
After the password is changed, run the quit command to exit the device to ensure device security. After logging out, you can use the new password to log in to the device again.
Login User Name or Password Recovery for the Administrator (USG9500)
The process for handling a login failure due to administrator account/password loss is as follows:
- Prepare a configuration file that can be properly used on the USG9500, such as configuration file newvrpcfg.zip and obtain the administrator account/password specified in the configuration file.
- In the BootROM menu, upload configuration file newvrpcfg.zip to the device and configure it as the configuration file for the next startup.
- After the device starts normally, use the administrator account/password specified in configuration file newvrpcfg.zip to log in to the device.
- Copy the original configuration file (the administrator password in which is lost, such as configuration file vrpcfg.zip) to the operation terminal and open it to change the administrator password.
- Upload the modified configuration file, such as configuration file modifyvrpcfg.zip to the device and configure it as the configuration file for the next startup.
- After the device restarts, use the new password to log in to the device.
After the administrator password change function is enabled by the manager-user password-modify enable command, the device reads administrator passwords from the CF card, but not the configuration profile after restart. Administrators cannot retrieve their login passwords from the configuration profile. Therefore, to retrieve an administrator password, you must disable the administrator password change function using the undo manager-user password-modify enable command.
The detailed procedure is as follows:
- Restart the device.
When the following information is displayed on the PC or operation terminal connected to the device, press Ctrl+B within three seconds and enter password to enter BootROM main menu.
The default username and password are available in HUAWEI Security Products Default Usernames and Passwords. If you have not obtained the access permission of the document, see Help on the website to find out how to obtain it.
**************************************************** * * * 8090 boot ROM, Ver 166.01 * * * **************************************************** Copyright 2001-2018 Huawei Tech. Co., Ltd. Creation date: Aug 2 2016, 16:34:23 CPU type : MPC8548E Press Ctrl+B to enter Main Menu... 1 Password: **********
- The BootROM main menu is displayed as follows:
Main Menu(bootload ver: 166.01) 1. Boot with default mode 2. Boot from CFcard 3. Enter ethernet submenu 4. Set boot file and path 5. Modify boot ROM password 6. Chkdsk CFcard 7. Format CFcard 8. List file in CFcard 9. Delete file from CFcard 10. Set patch mode 11. Set version back signal 12. Reboot Enter your choice(1-12):
- Enter 3 to access the Ethernet submenu.
Enter your choice(1-12): 3 Ethernet Submenu 1. Download file to SDRAM through ethernet interface and boot 2. Download file to CFcard through ethernet interface 3. Modify ethernet interface boot parameters 4. Return to main menu
- Enter 3 to set required Ethernet interface parameters. The other parameters use their default values.
- Boot device has a fixed value. The value is mottsec3 for the USG9520 MPUD and motetsec0 for the USG9520 E8KE-X3-MPU, USG9560 E8KE-X8-SRUA-200, and USG9580 EKEX16-FWCD00MPUB00.
![]()
Using the default Boot device value is recommended. Otherwise, FTP download fails.
- file name corresponds to the file to be downloaded. Loading **.zip file is used as an example. Modification method: Enter the new file name behind the displayed file name. Use the same method to modify the following items:
- inet on ethernet (e) is used to configure an IP address for the FW. You can set the IP address of the FW to be on the same network segment as the PC that provides FTP services. If the IP address of the FW is on a different network segment from the PC that provides FTP services, ensure that the FW and FTP servers have reachable routes to each other.
- gateway inet (g) indicates the gateway IP address. When the FW and PC are on different network segments, specify this parameter.
- host inet (h) must be the actual IP address of the PC that provides FTP services.
- user (u) indicates an FTP user name.
- ftp password (pw) (blank = use rsh) indicates an FTP user password.
- flags (f) is a fixed value. 0x0 indicates that FTP is used for download. 0x80 indicates that TFTP is used for download.
Enter your choice(1-4): 3 Note: two protocols for download, tftp & ftp. You can modify the flags following the menu. tftp--0x80, ftp--0x0. '.' = clear field; '-' = go to previous field; ^D = quit boot device : mottsec3 processor number : 0 host name : host file name : newvrpcfg.zip inet on ethernet (e) : 10.10.12.1 inet on backplane (b): host inet (h) : 10.10.12.12 gateway inet (g) : user (u) : mpua ftp password (pw) (blank = use rsh): **** flags (f) : 0x0 target name (tn) : startup script (s) : other (o) :
- Boot device has a fixed value. The value is mottsec3 for the USG9520 MPUD and motetsec0 for the USG9520 E8KE-X3-MPU, USG9560 E8KE-X8-SRUA-200, and USG9580 EKEX16-FWCD00MPUB00.
- On the operation terminal, enable the FTP server software, specify the path of the configuration file, and set the user name to mpua and password to mpua. The user name and password are those configured when Ethernet parameters are set.
- In the Ethernet submenu, enter 2 to download the configuration file to the CF card.
- In the Ethernet submenu, enter 4 to return to the BootROM main menu.
- Enter 4 to specify the configuration file to be used for the next startup.
Boot Files Submenu 1. Modify the boot file 2. Modify the paf file 3. Modify the license file 4. Modify the config file 5. Modify the patch file 6. Modify the patch states file 7. Return to main menu Enter your choice(1-7): 4
- Enter 4 and change the configuration file used during startup to newvrpcfg.zip.
Config file is cfcard:/vrpcfg.zip, modify the file name if needed. Please input correctly, e.g.: cfcard:/vrpcfg.zip cfcard:/newvrpcfg.zip The file name you input is cfcard:/newvrpcfg.zip. Are you sure? Yes or No(Y/N)y Setting ...Done! Clear version back signal...Done!
vrpcfg.zipp in the first line is the configuration file used during system startup.
- Enter 7 to return to the main menu and enter 2 to restart the device.
- After the device restarts, use the administrator account/password specified in configuration file newvrpcfg.zip to log in to the device.
- Copy the original configuration file vrpcfg.zipp to the operation terminal and open the configuration file to change the administrator password. For example, change the password of account admin to Admin@1234.
![]()
- Upload the modified configuration file modifyvrpcfg.zipp to the device and configure it as the configuration file for the next startup in the user view.
<sysname> startup saved-configuration cfcard:/modifyvrpcfg.zip Info: Succeeded in setting the configuration for booting system.
- After the device restarts, you can use the new user name and password (admin and Admin@1234) for login, and the configuration has been restored to the latest configuration that you have saved.If the following information is displayed when the device restarts, press N:
Warning: The configuration has been modified, and it will be saved to the next startup saved-configuration file cfcard:/modifyvrpcfg.zip. Continue? [Y/N]:N
Document ID:EDOC1000179232
Views:1377977
Downloads:2698
Average rating:5.0Points