Configuring passwords via metadata variables in FMG - best practices

1ryan1 · ‎03-29-2023

Hello,

What is the best practice when configuring passwords using metadata variable such as the system admin user or IPSEC preshared secret via CLI templates in FortiManger? Obviously you can see the password in clear text if you go to the objects to view the metadata variable settings. Is there a work around to showing the password in clear text?

Also, I noticed that if you generate a random password with a special character for a password (that gets set via metadata variable) FMG will fail deploy. If I set the random password to not include special characters, it works. Any idea what characters are not allowed?

Anthony_E · ‎04-02-2023

Hello Ryan,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Anthony-Fortinet Community Team.

Anthony_E · ‎04-05-2023

Hello Ryan,

We are still looking for someone to help you.

We will come back to you ASAP.

Regards,

Anthony-Fortinet Community Team.

Anthony_E · ‎04-07-2023

Hello Ryan,

My FortiManager expert will need to know:

- Which characters failed?

- Which version of FortiManager you are using?

Thanks a lot in advance.

Regards,

Anthony-Fortinet Community Team.

gfleming · ‎04-07-2023

I would use IPSec templates or VPN manager that way you don't need to mess around with metadata and cleartext pre-shared keys—you can also use certificates/signatures.

For admin user I would push this out using CLI Template using a very complex password, encrypted in the CLI and then rely on TACACS/RADIUS auth for admin user logons. Use the local admin user only when absolutely needed.

Cheers,
Graham