Skip to main content
lqueiroz
lqueiroz
New Member
July 24, 2019
Question

Password Hash Changing

  • July 24, 2019
  • 2 replies
  • 18257 views

Hi All,

 

Has someone noticed the hash for some password types in the Fortigate's configuration changing every day, without any administrator action?

 

For example:

 

-Day one

 

config vpn certificate local edit "Fortinet_CA_SSLProxy" set password ENC 111111111111111111111111111111111== set comments "This is the default CA certificate the SSL Inspection will use when generating new server certificates." next edit "Fortinet_SSLProxy" set password ENC 111111111111111111111111111111111== next

 

 

-Day two

 

config vpn certificate local edit "Fortinet_CA_SSLProxy" set password ENC 222222222222222222222222222222222== set comments "This is the default CA certificate the SSL Inspection will use when generating new server certificates." next edit "Fortinet_SSLProxy" set password ENC 222222222222222222222222222222222== next

 

 

It is causing problems to our backup process, where our NMS system is understanding the configuration is changing every day and consequently downloading and archiving the "new" configuration file.

 

Thanks you very much,

Lindolfo

2 replies

emnoc
emnoc
New Member
July 24, 2019

That's normal, every time you save the config in a export the hash would be different 

 

    lqueiroz
    lqueirozAuthor
    New Member
    July 24, 2019

    Hey,

     

    Do you know if this is an specific feature for some hardware/firmware models?

     

    I have different models in the environment and some of them are not affected by this.

     

    Thank you!

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    July 24, 2019

    You need to skip those lines like discussed in below. Our backup/config diff tool does that.

    https://github.com/ytti/oxidized/issues/931

     

    lqueiroz
    lqueirozAuthor
    New Member
    July 24, 2019

    Hi, I considered skipping the "set password ENC" lines in the backup diff, however I will not have a backup when the password truly changes. Do you have any tip?

     

    Thank you!

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    July 24, 2019

    This should be the same throughout all FGT models.

    According to our programmer, our tool actually keep saving all of them including those keep-changing password lines so that when a generation is retrieved, it would include legit ENC password. But when the diff is run to send out email for changes between the previous and the latest version, it removes those lines before sending the notification email.

     

     

     

    Terms & ConditionsAccessibility statement