Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jsg
New Contributor

Fortigate automated/scheduled SFTP backup without storing clear text passwords?

Hi all,

 

I'm fairly new to the Fortinet suit of security devices. I have set up a scheduled SFTP backup on the FortiAnalyzer and FortiManager which was very simply to do. Locally, the SFTP password is hashed in the config, lovely.

 

However, Fortigate appears to be a different story. To achieve a “Fortinet native” solution of a scheduled/automated backup. I looked at automation stitches, unfortunately the "cli script” option requires the SFTP password to be stored in clear text. 

 

Does anyone know of any other “Fortinet native” solution to schedule automated backups to SFTP servers on Fortigates without having to store the SFTP password in clear text? Just not acceptable to store passwords in clear text in my opinion and against policy in general.

 

My next stop is to move the automated backup process out of the Fortigate environment and move it to a netmiko/paramiko python solution. I would prefer an “in product” solution.

 

Currently using v7.0.7.

 

Thanks,

 

JSG

1 Solution
jrosado_FTNT
Staff
Staff

Hi JSG, 

 

Since FortiOS version 7.2.1 password masking in configuration backups has been integrated. 

 

https://docs.fortinet.com/document/fortigate/7.2.0/new-features/598820/support-backing-up-configurat...

 

I hope you are able to upgrade to this version to get advantage of this feature. 

 

Regards, 

 

Javier Rosado
ETAC LATAM TSE

View solution in original post

3 REPLIES 3
Jean-Philippe_P
Moderator
Moderator

Hello jsg!

 

Thanks for posting on the Fortinet Community Forum.

 

I will for assistance and get you documentation or help. We will contact you as soon as possible in this thread.

 

Kindest regards,

Jean-Philippe - Fortinet Community Team
jrosado_FTNT
Staff
Staff

Hi JSG, 

 

Since FortiOS version 7.2.1 password masking in configuration backups has been integrated. 

 

https://docs.fortinet.com/document/fortigate/7.2.0/new-features/598820/support-backing-up-configurat...

 

I hope you are able to upgrade to this version to get advantage of this feature. 

 

Regards, 

 

Javier Rosado
ETAC LATAM TSE
n3tctrl

One small problem with this so called "solution".  It doesn't solve the original issue.  I have the exact same issue.  Yes you can mask the passwords WITHIN the config file.  However, you still have to expose the password to the SFTP server to get the config file backed up in the first place!  Serious security weakness.  Mask the SFTP password AS WELL!  When you upload the script it will expose that password in the script no matter what.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors