Configuring passwords via metadata variables in FMG - best practices
What is the best practice when configuring passwords using metadata variable such as the system admin user or IPSEC preshared secret via CLI templates in FortiManger? Obviously you can see the password in clear text if you go to the objects to view the metadata variable settings. Is there a work around to showing the password in clear text?
Also, I noticed that if you generate a random password with a special character for a password (that gets set via metadata variable) FMG will fail deploy. If I set the random password to not include special characters, it works. Any idea what characters are not allowed?
I would use IPSec templates or VPN manager that way you don't need to mess around with metadata and cleartext pre-shared keys—you can also use certificates/signatures.
For admin user I would push this out using CLI Template using a very complex password, encrypted in the CLI and then rely on TACACS/RADIUS auth for admin user logons. Use the local admin user only when absolutely needed.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.