Hi everyone,
We would like to change the vpn password for our multiple fortigate. How do we change it in faster way? We do have fortimanager, Is it possible for fortimanager to push the change of password for multiple firewall instantly?
Thank you in advance.
hm
maybe you should have posted this to the frtimanager forum?
Anyhow: vpn tunnels basically are device config. So you have to set them on each FGT even with FMG.
But maybe FortiManagers VPN Manager could help here. HOwever I never tried it up to now...
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Can you not push a script from the FMG? Or batch-script upload ?
Ken Felix
PCNSE
NSE
StrongSwan
oh ok yes you could push a script from FMG. I just up to now never used that feature so can't say anything about it. But yes might be an option too.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
lorenzz wrote:Use a remote authentication device for all Fortigates. Change them all in one place. Just an idea for the future.Hi everyone,
We would like to change the vpn password for our multiple fortigate. How do we change it in faster way? We do have fortimanager, Is it possible for fortimanager to push the change of password for multiple firewall instantly?
Thank you in advance.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
If the vpn names are the same we've use for loop and change the psk on vpns via script. The FGTs have a public-key so it's automated and loops thru and changes the vpns in a simple execution.
e.g part of the sript
======================
# vpn tunnel gw list in file vpn.txt
# python runs a script to create a random password that we will set on our devices
py1=/usr/bin/python
py2=/opscenter/FTNT/scripts/python.password
psk=`$py1 $py2`
## now we change the FGTs psk
H="config vdom\n edit root\n config vpn ipsec phase1-interface\n edit FGTCorp2RemoteTunnel\n set psksecret $psk\n end\n"
for p in " cat vpn.txt" ;
do echo -e "$H" | ssh -o "StrictHostKeyChecking=no" fgtadminteam@$p]fgtadminteam@$p ;
done
You can run the script before hand to see how it would display the password e.g
config vdom edit root config vpn ipsec phase1-interface edit FGTCorp2RemoteTunnel set psksecret .@3bR_4$xWWL&6dgAhdk#83k@l@9k12k&3ts5Fg end
I would suggest no ssh host key checks to ensure the script won't fail from a upgrade or failover or if the ssh keys are changed.
Vpn.txt files has all of the vpns gateways by ip.address
YMMV, but we change psk like this every 3months and it works 100% flawlessly if the network is not down the host that runs the script is up. We crontab this to fire every 90days
TIP: Avoid using the following characters '\ " in the random password
Ken Felix
PCNSE
NSE
StrongSwan
Thank you everyone for your response, will try to study first the scripting.
removed... since it is old and already was answered.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.