|
Currently, FortiManager does not natively support enabling the private-data-encryption setting on FortiOS. It must be done on the managed FortiGate, which can become daunting if the number of managed devices is high.
To activate the feature on multiple devices using FortiManager, a TCL script can be used.
Pre-requisite: Ensure TCL scripting is enabled on the FortiManager:
config system admin
setting set show_tcl_script enable
end
Afterwards, perform the following actions:
- From Device Manager -> Scripts, select 'Create New'.
- Enter a script name.
- Select the TCL Script.
- Select 'Remote FortiGate Directly (via CLI)' under 'Run script on'.
- Enter the following script:
#!
set substring "hexadecimal numbers):"
# !Replace the below value with your key!
set key "0123456789abcdef0123456789abcdef"
proc do_cmd {cmd} {
puts [exec "$cmd\n" "# " 15]
}
do_cmd "config sys global"
do_cmd "set private-data-encryption enable"
set output [exec "end \n" "# " 15]
if {[string match *$substring* $output]} {
puts "Substring '$substring' found in output."
#The key has to be inserted twice
puts [exec "$key\n" "# " 15]
puts [exec "$key\n" "# " 15]
}
Select 'Run Script' and execute it on the required device(s).
The script log should show a similar output to the following:
-------Executing time: Fri Aug 30 18:12:32 2024-----------
Starting log (Run on device)
config sys global
FGT (global) #
set private-data-encryption enable
FGT (global) #
Substring 'hexadecimal numbers):' found in output.
0123456789abcdef0123456789abcdef
Please re-enter your private data encryption key (32 hexadecimal numbers) again:
0123456789abcdef0123456789abcdef
Your private data encryption key is accepted.
In the FortiGate, private-data-encryption should be enabled:
sh
config system global
...
set private-data-encryption enable
...
end
In FortiManager, AutoUpdate should have created a new revision under Configuration Revision History.
Performing a Revision Diff will show all the changed local credentials in the configuration.
|
