Fortinet Document Library

Version:


Table of Contents

User Guide

21.4.0
Copy Link

Sensitive data stripping

NCM supports stripping sensitive data from backups of devices.
When this feature is enabled, passwords, pre-shared-keys, and other sensitive data will not be stored in backups of devices.

This can be enabled in "Other settings > Sensitive data stripping".
You can enable stripping sensitive data globally ("Default sensitive data stripping policy"), or per-Tag.

Per-Tag policy always over-rides the default policy for devices that the Tag applies to.
If a single device belongs to Tags that specify both the "Never strip" and the "Always strip" policy, the more secure option ("Always strip") will be applied.

Always check for desired behavior

When using this feature, always verify if all sensitive data is properly being stripped.
Also verify if data which should be present is not getting stripped when it should not be.

Supported devices

Currently, sensitive data stripping is supported on these devices:

Cisco ASA
Cisco IOS
Cisco IOS XR
Cisco Nexus
Cisco NXOS (generic NXOS)

If a backup is ran on a device which is not yet supported and it's configured for sensitive data stripping, the backup job will fail.
(fail reason will be "SENSITIVE_DATA_STRIPPING_ERROR")

We are periodically adding support for more devices to the above list.
If you want to use sensitive data stripping with any devices not listed above, please let us know.

Sensitive data stripping

NCM supports stripping sensitive data from backups of devices.
When this feature is enabled, passwords, pre-shared-keys, and other sensitive data will not be stored in backups of devices.

This can be enabled in "Other settings > Sensitive data stripping".
You can enable stripping sensitive data globally ("Default sensitive data stripping policy"), or per-Tag.

Per-Tag policy always over-rides the default policy for devices that the Tag applies to.
If a single device belongs to Tags that specify both the "Never strip" and the "Always strip" policy, the more secure option ("Always strip") will be applied.

Always check for desired behavior

When using this feature, always verify if all sensitive data is properly being stripped.
Also verify if data which should be present is not getting stripped when it should not be.

Supported devices

Currently, sensitive data stripping is supported on these devices:

Cisco ASA
Cisco IOS
Cisco IOS XR
Cisco Nexus
Cisco NXOS (generic NXOS)

If a backup is ran on a device which is not yet supported and it's configured for sensitive data stripping, the backup job will fail.
(fail reason will be "SENSITIVE_DATA_STRIPPING_ERROR")

We are periodically adding support for more devices to the above list.
If you want to use sensitive data stripping with any devices not listed above, please let us know.