Technical Tip: Why FortiGate config files should not be encrypted when requested by TAC
| Description | This article describes why users should not back up the FortiGate config files using the encrypt option when sending them to TAC. |
| Scope | FortiGate. |
| Solution | FortiGate allows the encryption of the configuration file using a password when a backup is taken.
Encryption is performed using the AES-GCM algorithm.
This adds an extra layer of security, not allowing the file to be read on a simple Txt program like Notepad++.
This is useful from the security point of view, allowing the backup to be restored only with the same device model and password. If one of the requirements is not fulfilled, the backup cannot be restored.
If the file will be used to compare with an old config backup or it will be sent to TAC, it cannot be encrypted. The reason why is that Fortinet TAC uses mostly virtual machines to test users' configurations, so the file needs to be edited before it can be restored.
Another option preferred for sending config backup to TAC is to create a password protected archive containing the backup configuration file.
Not all of the configuration files are necessary to reproduce an issue, so they will be removed from the file before it can be used.
Note: Fortinet LAB also has physical devices, but has a limited number compared to the number of virtual machines, which can be almost countless. |
