FortiGate Configuration Obfuscator Tool
This feature can be used to obfuscate IP addresses, object's names, and confidential information for the case when the configurations cannot be sent without scrubbing.
- On the left-sidebar, select Obfuscator to enter the page.
-
2. Select the types you want to obfuscate. Note that if the object name is unselected, the second row will be disabled.
-
3. Upload the FortiGate configuration and click Obfuscate Config.
- Options description
|
Type |
|
|---|---|
| IPv4 | Global find IPv4 addresses include the unicast, multicast, private network, and address range pattern and substitute. |
| IPv6 | Global find IPv6 addresses and substitute. |
| FQDN | Global find FQDN and Wildcard-FQDN address and substitute. |
| MAC Address | Global find MAC addresses and substitute. |
|
Password, Pre-Shared key |
Global find ENC *** pattern and substitute with the string "012345678". |
| SSID | Global find ssid name and substitute. |
| Comment | Global find set comment|comments and remove the line. |
| Object Name | Global find object names according to the selected object name categories . |
|
Object Name |
|
|---|---|
| Interface | Find object names under the config system interface and substitute with INTERFACE_INDEX. It won't change the default FortiGate interface name like "wan1", "port2", "dmz," etc. |
| Zone | Find object names under the config system zone and substitute with ZONE_ INDEX. |
| Address |
Find object names under the config firewall address and substitute with ADDR_ INDEX. It won't change the name like "all", "any", etc. |
| Address Group | Find object names under the config firewall addrgrp and substitute with ADDRGrp_ INDEX. |
| IPPool | Find object names under the config firewall ippool and substitute with IPPool_ INDEX. |
| VIP | Find object names under the config firewall vip and substitute with VIP_ INDEX. |
| VIP Group | Find object names under the config firewall vipgrp and substitute with VIPGrp_ INDEX. |
| Service |
Find object names under the config firewall service custom and substitute with SERV_ INDEX. It won't change the name like "all", "any", etc. |
| Service Group | Find object names under the config firewall service group and substitute with SERVGrp_ INDEX. |
| VPN |
Find object names under config vpn ipsec phase1, config vpn ipsec phase2 config vpn ipsec phase1-interface, config vpn ipsec phase2-interface and substitute with VPN_ INDEX or VPN_INTF_ INDEX. |
| Policy | Find "set name" under the config firewall policy and substitute with POLICY_ INDEX. |
*Note that the text substitution follows the order below.
IP Address > SSID > (substitute object name with the following order) > VPN > Interface > Zone > address and group > ippool > vip > vip and group > service and group
According to the substitution order above, if the object name contains an address string (commonly used in IPPool and VIP), it won’t be replaced with the name IPPool_INDEX or VIP_INDEX because the IP address has higher order.
For example, in the case below, the output replaces the IP string in the object name instead of using IPPool_INDEX while other objects such as VIP remains the same.
config firewall ippool
edit "ippool-10.161.192.11"
set endip 10.161.192.11
set startip 10.161.192.11
set type overload
next
end
(After run the obfuscator)
config firewall ippool
edit "ippool-10.90.31.207"
set endip 10.90.31.207
set startip 10.90.31.207
set type overload
next
end