Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmanea
Staff
Staff

Created on ‎03-08-2021 10:55 PM Edited on ‎01-04-2022 11:33 PM By Staff

Article Id 190039

Technical Tip: Enable private-data-encryption in HA cluster

Description
This article describes how to enable private data encryption in a HA cluster.

Solution
When using an HA cluster, the keys used for private-data-encryption are synchronized among the units.
In a redundant setup (HA), the units must have the same key so that the encrypted elements are properly synchronized.

NOTE.
Prior to FortiOS 6.2.5 and FortiOS 6.4.2 the private-data-encryption keys were not automatically synchronized by HA.

A very common situation happens when starting with an existing HA cluster (2 or more units):
- the cluster is formed and synchronized.
- then you enable private-data-encryption in order to improve the security.
- enabling private-data-encryption on the Active unit will prompt for the key to be used.

FG-Active # config system global
FG-Active (global) # set private-data-encryption enable
FG-Active (global) # end
Please type the private data encryption key (32 hexadecimal numbers):
0123456789abcdef0123456789abcdef
please re-enter the private data encryption key (32 hexadecimal numbers) again:
0123456789abcdef0123456789abcdef
The private data encryption key is accepted.
FG-Active #

- at this point, Backup unit(s) will have this setting activated, but the key is not synchronized
- disabling and enabling the setting on the Backup unit will not generate a prompt to enter the key:

FG-Backup # config system global
FG-Backup (global) # set private-data-encryption enable
FG-Backup (global) # end
FG-Backup #  < no prompt for key

As a result after this point, before FortiOS 6.2.5 and FortiOS 6.4.2, further changes of encrypted elements (passwords, certificates, IPSEC tunnel keys, etc.) in the configuration of Active unit are causing the cluster to be out-of-sync.
A temporary workaround for this out-of-sync situation is to disable (and then re-enable) private-data-encryption on the Active unit.
Once disabled, the cluster will synchronize once again because no keys are used to encrypt the elements.
After re-enabling the encryption, the key is used only for encryption of the elements on the Active unit.

Permanent fix:
- Upgrade to FortiOS 6.2.5, FortiOS 6.4.2 (or newer)
- Enable private-data-encryption on each unit separately, before connecting them in a HA cluster.

If the cluster is already formed, then it must be first separated.
Once separated, enable private-data-encryption on the Backup unit, using the same key as in Active.

Related Articles

Technical Tip: How to restore a backup configuration file with private-data-encryption enable?

Labels:
15919
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.