Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
lqueiroz
New Contributor

Password Hash Changing

Hi All,

 

Has someone noticed the hash for some password types in the Fortigate's configuration changing every day, without any administrator action?

 

For example:

 

-Day one

 

config vpn certificate local edit "Fortinet_CA_SSLProxy" set password ENC 111111111111111111111111111111111== set comments "This is the default CA certificate the SSL Inspection will use when generating new server certificates." next edit "Fortinet_SSLProxy" set password ENC 111111111111111111111111111111111== next

 

 

-Day two

 

config vpn certificate local edit "Fortinet_CA_SSLProxy" set password ENC 222222222222222222222222222222222== set comments "This is the default CA certificate the SSL Inspection will use when generating new server certificates." next edit "Fortinet_SSLProxy" set password ENC 222222222222222222222222222222222== next

 

 

It is causing problems to our backup process, where our NMS system is understanding the configuration is changing every day and consequently downloading and archiving the "new" configuration file.

 

Thanks you very much,

Lindolfo

6 REPLIES 6
emnoc
Esteemed Contributor III

That's normal, every time you save the config in a export the hash would be different 

 

PCNSE 

NSE 

StrongSwan  

lqueiroz
New Contributor

Hey,

 

Do you know if this is an specific feature for some hardware/firmware models?

 

I have different models in the environment and some of them are not affected by this.

 

Thank you!

Toshi_Esumi
Esteemed Contributor II

You need to skip those lines like discussed in below. Our backup/config diff tool does that.

https://github.com/ytti/oxidized/issues/931

 

lqueiroz

Hi, I considered skipping the "set password ENC" lines in the backup diff, however I will not have a backup when the password truly changes. Do you have any tip?

 

Thank you!

Toshi_Esumi
Esteemed Contributor II

This should be the same throughout all FGT models.

According to our programmer, our tool actually keep saving all of them including those keep-changing password lines so that when a generation is retrieved, it would include legit ENC password. But when the diff is run to send out email for changes between the previous and the latest version, it removes those lines before sending the notification email.

 

 

 

emnoc
Esteemed Contributor III

yes we do the same item in our diff by just removing or ignoring those lines.

 

 

i.e

# before diff

 

  sed -i '/set password/d'   fgt.conf 

 

Also if you do not want to remove them due to formatting, just replace the string with XXXXXXXXXXXXXs

 

 

Ken Felix

PCNSE 

NSE 

StrongSwan