FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ESCHAN_FTNT
Staff
Staff
Article Id 195668

Description


This article explains how to restore a backup configuration file with private-data-encryption enabled, especially when the device has been factory-reset or replaced due to hardware failure.

 

Scope

 

FortiGate.

Solution


Enabling private-data-encryption allows greater encryption on the downloaded configuration file. The user will have to supply a 32-digit hexadecimal encryption key. In the example below, private-data-encryption is enabled with a private key of 0123456789abcdef0123456789abcdef:


config system global

    set private-data-encryption enable
end

Please type your private data encryption key (32 hexadecimal numbers):
0123456789abcdef0123456789abcdef
Please re-enter your private data encryption key (32 hexadecimal numbers) again:
0123456789abcdef0123456789abcdef


Private data encryption key is accepted.


Backing up and restoring the configuration file after enabling private-data-encryption is the same as before on this specific FortiGate unit with the existing configuration.

In the event that the current unit accidentally factory-resets or has a hardware failure resulting in a change of hardware, restoring the backup configuration file will cause all encrypted passwords (except the system admin) to be lost.


Below is the config file error in the console upon booting up:

 

Initializing firewall...
System is starting...
The config file may contain errors,
Please see details by the command 'diagnose debug config-error-log read'

Myvi-kvm21  login: admin
Password:
Welcome !

diagnose debug config-error-log read


>>>  "set" "password" "ENC" "qO9BAPwPxcxcqTyPPZW+0gARH9M5l5kX/GzraBngXVH8FjY3W7KaRFj5nh9H1HVi5jO782uQafQXwmWT5KLpAy5V7upwEjJ28Kb ... @ 3386:vpn.certificate.local.Fortinet_SSL_DSA1024:value parse error (error -1)

>>>  "set" "password" "ENC" "obdYGqPnvT9V64HsxfAJhNT7VXYruL4MKHu+9WOY9ITiN4SvORcApBIFhzn64dzW/lI19obx7TUPpXnYEUJwuwbCRvHDhlYkzVK ... @ 3425:vpn.certificate.local.Fortinet_SSL_DSA2048:value parse error (error -1)
>>>  "set" "password" "ENC" "r+p5NxxzUFK6O8a0M3xxMJHqGvtXo6DmO2gcGAWrWXh4Iju2YBcnZYYR5kO+Hk7hcdWZgXHvkjVrWH0FBjklVCoIRQm9BHeY3iG ... @ 3508:vpn.certificate.local.Fortinet_SSL_ECDSA384:value parse error (error -1)
>>>  "set" "passwd" "ENC" "lzGCMBfrodsURT1xCHtj5nq5cSlnXM3zp6Ct2lnp51h8MHZVWtS9YWvLm4853xPPRJ4oXJ4pB+m6FWHkh65wTqg18C/V0t7BksuV4 ... @ 3924:user.local.guest:value parse error (error -1)
>>>  "set" "passwd" "ENC" "cRBllqO+/pVb8WdD68zZ/VjWSDGy8dPLcjdqFlkjsk1FkXj4p8DZDtockrn1GN5SVZ3PRYN75s2DxihBbUK/xeB3BxSqpuDB23BxA ... @ 3929:user.local.user1:value parse error (error -1)
>>>  "set" "psksecret" "ENC" "MjuFtXONDH83enX3ngZfbU5RjIK+x8D20codXMiYrlZQd2sHFG5OcEV37RqaVVJ7qhX+qrGusv9Zc8COfu2grKkKuxRCfx1b+D ... @ 4247:vpn.ipsec.phase1-interface.Alza-KVM36:value parse error (error -1)
>>>  "set" "password" "ENC" "fwAAAG5mb1ysTHs/uN+44m+X7JQkftWaq37M9CNbv4rZIxTJcoJ/NfbH5VCR4pkZefI8/uXhnlKXKKpCZa4b9YQbkd+T2GMkBe9 ... @ 5764:firewall.ssh.local-key.Fortinet_SSH_RSA2048:value parse error (error -1)
>>>  "set" "password" "ENC" "fwAAAK0XE9tZWVVyYj7YYwtmgczJ3Ne2MQ219Zc3V8oyG72zmB0a39ZhbRLES6rv0SrRNI4kxLvC6laqP0uRGJmkHUzSId5WR/b ... @ 5798:firewall.ssh.local-key.Fortinet_SSH_DSA1024:value parse error (error -1)
>>>  "set" "password" "ENC" "fwAAAEoa7GRu/hu3xCusPXdABnhOplM3L6x3muplV+e0kteSYyYYzBMOai5IvBDjkd+/7eHj0h0bvb/2cDRe1Hp/PyYd0cmMDCb ... @ 5825:firewall.ssh.local-key.Fortinet_SSH_ECDSA256:value parse error (error -1)
>>>  "set" "password" "ENC" "AAAAAb1LCwnuHcdxKkzDdvGBPryAfgMkF72Eh5vKPHq7TKidFPYLhpv3oDlFzccu/4gs6PeIoAKI4ZVu5M0PFSZj0xnROnFYXq7 ... @ 5925:firewall.ssh.local-ca.Fortinet_SSH_CA_Untrusted:value parse error (error -1)

To restore the configuration on a factory-reset or another FortiGate unit, the user will have to set the private key first before restoring the configuration file.


config system global

set private-data-encryption enable
end

Please type your private data encryption key (32 hexadecimal numbers):
0123456789abcdef0123456789abcdef
Please re-enter your private data encryption key (32 hexadecimal numbers) again:
0123456789abcdef0123456789abcdef


The private data encryption key is accepted.

After the same private data encryption key is entered, the configuration file can be restored as usual.

Restoring the backup config without first setting the private key will result in the below error in the GUI:
'The configuration was encrypted with a private encryption key, but encryption is not enabled. Required: Enable private-data-encryption under system global.'