Support backing up configurations with password masking 7.2.1

7.2.0

Copy Link

Copy Doc ID 77966226-6996-11ec-bdf2-fa163e15d75b:598820

Download PDF

Support backing up configurations with password masking 7.2.1

When backing up a configuration that will be shared with a third party, such as Fortinet Inc. Support, passwords and secrets should be obfuscated from the configuration to avoid information being unintentionally leaked. Password masking can be completed in the Backup System Configuration page and in the CLI. When password masking is enabled, passwords and secrets will be replaced in the configuration file with FortinetPasswordMask.

To mask passwords in the GUI:

Click on the username in the upper right-hand corner of the screen and select Configuration > Backup.
Select YAML as the File format.
Enable Password mask. A warning message is displayed.
Click OK. The full configuration file is saved to your computer with passwords and secrets obfuscated.

To mask passwords in a configuration backup in the CLI:

# execute backup obfuscated-config {flash | ftp | management-station | sftp | tftp | usb}

To mask passwords in the full configuration backup in the CLI:

# execute backup obfuscated-full-config {ftp | sftp | tftp | usb}

To mask passwords in a configuration backup with YAML formatting in the CLI:

# execute backup obfuscated-yaml-config {ftp | tftp}

If a configuration is being backed up on a server, server information must be included with the command. Other information that may be required with an execute backup command includes file names, passwords, and comments. See Configuration backups in the Administration Guide for more information.

Example configuration with password masking

The following is an example of output with password masking enabled:

config system admin   
    edit "1"
        set accprofile "prof_admin"
        set vdom "root"
        set password FortinetPasswordMask
    next
end
config vpn ipsec phase1-interface
    edit "vpn-1"
        set interface "port1"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set comments "VPN: vpn-1 (Created by VPN wizard)"
        set wizard-type static-fortigate
        set remote-gw 172.16.200.55
        set psksecret FortinetPasswordMask
    next
end
config wireless-controller vap
    edit "ssid-1"
        set passphrase FortinetPasswordMask
        set schedule "always"
    next
end

Restoring configurations

When restoring a configuration file that has password masking enabled, all obfuscated passwords and secrets will be restored as well.

Restoring the FortiGate with a configuration with passwords obfuscated is not recommended.

To restore an obfuscated configuration:

Click on the user name in the upper right-hand corner of the screen and select Configuration > Restore.
Select YAML as the File format.
Click Upload. The File Explorer is displayed.
Navigate to the configuration file and click Open.
(Optional) Enter the file password in the Password field.
Click OK. The Confirm pane is displayed with a warning.
Toggle the acknowledgment.
Click OK.

Support backing up configurations with password masking 7.2.1

To mask passwords in the GUI:

Click on the username in the upper right-hand corner of the screen and select Configuration > Backup.
Select YAML as the File format.
Enable Password mask. A warning message is displayed.
Click OK. The full configuration file is saved to your computer with passwords and secrets obfuscated.

To mask passwords in a configuration backup in the CLI:

# execute backup obfuscated-config {flash | ftp | management-station | sftp | tftp | usb}

To mask passwords in the full configuration backup in the CLI:

# execute backup obfuscated-full-config {ftp | sftp | tftp | usb}

To mask passwords in a configuration backup with YAML formatting in the CLI:

# execute backup obfuscated-yaml-config {ftp | tftp}

Example configuration with password masking

The following is an example of output with password masking enabled:

config system admin   
    edit "1"
        set accprofile "prof_admin"
        set vdom "root"
        set password FortinetPasswordMask
    next
end
config vpn ipsec phase1-interface
    edit "vpn-1"
        set interface "port1"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set comments "VPN: vpn-1 (Created by VPN wizard)"
        set wizard-type static-fortigate
        set remote-gw 172.16.200.55
        set psksecret FortinetPasswordMask
    next
end
config wireless-controller vap
    edit "ssid-1"
        set passphrase FortinetPasswordMask
        set schedule "always"
    next
end

Restoring configurations

When restoring a configuration file that has password masking enabled, all obfuscated passwords and secrets will be restored as well.

Restoring the FortiGate with a configuration with passwords obfuscated is not recommended.

To restore an obfuscated configuration:

Click on the user name in the upper right-hand corner of the screen and select Configuration > Restore.
Select YAML as the File format.
Click Upload. The File Explorer is displayed.
Navigate to the configuration file and click Open.
(Optional) Enter the file password in the Password field.
Click OK. The Confirm pane is displayed with a warning.
Toggle the acknowledgment.
Click OK.