Password Hash Changing | Fortinet Technical Discussion Forums

Join us now!

Username
Password
Verification
	Stay logged in

Forgot Your Password? Forgot your Username? Haven't received registration validation E-mail?

User Control Panel Log out

Forums
Posts

Latest Posts

Active Posts

Recently Visited

Search Results

View More
Blog

Recent Blog Posts

View More
Photos

Recent Photos

My Favorites

View More Photo Galleries
PMs

Unread PMs

Inbox

Send New PM View More
Page Extras
Menu
- Forum Themes
- Member List
- Online User List
- User Groups

Videos, Docs Library, KB
Fuse
- Fuse Fortinet User Community

Mark Thread UnreadFlat Reading Mode ❐

Password Hash Changing

Author Post Essentials Only Full Version
lqueiroz New Member Total Posts : 3 Scores: 0 Reward points: 0 Joined: 2019/07/24 07:36:34 Status: offline 2019/07/24 07:59:14 (permalink) 5.2 0 Password Hash Changing Hi All, Has someone noticed the hash for some password types in the Fortigate's configuration changing every day, without any administrator action? For example: -Day one config vpn certificate local edit "Fortinet_CA_SSLProxy" set password ENC 111111111111111111111111111111111== set comments "This is the default CA certificate the SSL Inspection will use when generating new server certificates." next edit "Fortinet_SSLProxy" set password ENC 111111111111111111111111111111111== next -Day two config vpn certificate local edit "Fortinet_CA_SSLProxy" set password ENC 222222222222222222222222222222222== set comments "This is the default CA certificate the SSL Inspection will use when generating new server certificates." next edit "Fortinet_SSLProxy" set password ENC 222222222222222222222222222222222== next It is causing problems to our backup process, where our NMS system is understanding the configuration is changing every day and consequently downloading and archiving the "new" configuration file. Thanks you very much, Lindolfo #1 FortiGate 6 Replies Related Threads
emnoc Expert Member Total Posts : 6055 Scores: 404 Reward points: 0 Joined: 2008/03/20 13:30:33 Location: AUSTIN TX AREA Status: offline Re: Password Hash Changing 2019/07/24 08:38:09 (permalink) 0 That's normal, every time you save the config in a export the hash would be different PCNSE NSE StrongSwan #2
Toshi Esumi Expert Member Total Posts : 2526 Scores: 241 Reward points: 0 Joined: 2014/11/06 09:56:42 Status: offline Re: Password Hash Changing 2019/07/24 08:38:10 (permalink) 0 You need to skip those lines like discussed in below. Our backup/config diff tool does that. https://github.com/ytti/oxidized/issues/931 #3
lqueiroz New Member Total Posts : 3 Scores: 0 Reward points: 0 Joined: 2019/07/24 07:36:34 Status: offline Re: Password Hash Changing 2019/07/24 09:05:10 (permalink) 0 Hi, I considered skipping the "set password ENC" lines in the backup diff, however I will not have a backup when the password truly changes. Do you have any tip? Thank you! #4
lqueiroz New Member Total Posts : 3 Scores: 0 Reward points: 0 Joined: 2019/07/24 07:36:34 Status: offline Re: Password Hash Changing 2019/07/24 09:07:41 (permalink) 0 Hey, Do you know if this is an specific feature for some hardware/firmware models? I have different models in the environment and some of them are not affected by this. Thank you! #5
Toshi Esumi Expert Member Total Posts : 2526 Scores: 241 Reward points: 0 Joined: 2014/11/06 09:56:42 Status: offline Re: Password Hash Changing 2019/07/24 10:40:55 (permalink) 0 This should be the same throughout all FGT models. According to our programmer, our tool actually keep saving all of them including those keep-changing password lines so that when a generation is retrieved, it would include legit ENC password. But when the diff is run to send out email for changes between the previous and the latest version, it removes those lines before sending the notification email. #6
emnoc Expert Member Total Posts : 6055 Scores: 404 Reward points: 0 Joined: 2008/03/20 13:30:33 Location: AUSTIN TX AREA Status: offline Re: Password Hash Changing 2019/07/24 13:37:29 (permalink) 0 yes we do the same item in our diff by just removing or ignoring those lines. i.e # before diff sed -i '/set password/d' fgt.conf Also if you do not want to remove them due to formatting, just replace the string with XXXXXXXXXXXXXs Ken Felix PCNSE NSE StrongSwan #7

Jump to:

© 2021 APG vNext Commercial Version 5.5