Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ESCHAN_FTNT
Staff
Staff

Created on ‎08-02-2019 05:29 AM

Article Id 195668

Technical Tip: How to restore a backup configuration file with private-data-encryption enable?

Description
This article explains how to restore a backup configuration file with private-data-encryption enable, especially when the device has been factory-reset or replaced due to hardware failure.

Solution
Enabling private-data-encryption allows greater encryption on the downloaded configuration file. User will have to supply with a 32 digits hexadecimal encryption key. In below example, private-data-encryption is enable with private key of 0123456789abcdef0123456789abcdef:

#Myvi-kvm21 # config system global
Myvi-kvm21 (global) # set private-data-encryption enable
Myvi-kvm21 (global) # end
Please type your private data encryption key (32 hexadecimal numbers):
0123456789abcdef0123456789abcdef
Please re-enter your private data encryption key (32 hexadecimal numbers) again:
0123456789abcdef0123456789abcdef

Private data encryption key is accepted.

Myvi-kvm21 #

Backup and restoring configuration file after enabling private-data-encryption is the same as before on this specific FortiGate unit with existing configuration.

In the event that the current unit accidentally factory-reset or hardware failure resulting a change of hardware, restoring the backup configuration file will cause all encrypted password (except system admin) lost.
Below is the config file error in console upon booting up:

Initializing firewall...
System is starting...
The config file may contain errors,
Please see details by the command 'diagnose debug config-error-log read'

Myvi-kvm21  login: admin
Password:
Welcome !

Myvi-kvm21 #
Myvi-kvm21 #diagnose debug config-error-log read

>>>  "set" "password" "ENC" "qO9BAPwPxcxcqTyPPZW+0gARH9M5l5kX/GzraBngXVH8FjY3W7KaRFj5nh9H1HVi5jO782uQafQXwmWT5KLpAy5V7upwEjJ28Kb ... @ 3386:vpn.certificate.local.Fortinet_SSL_DSA1024:value parse error (error -1)
>>>  "set" "password" "ENC" "obdYGqPnvT9V64HsxfAJhNT7VXYruL4MKHu+9WOY9ITiN4SvORcApBIFhzn64dzW/lI19obx7TUPpXnYEUJwuwbCRvHDhlYkzVK ... @ 3425:vpn.certificate.local.Fortinet_SSL_DSA2048:value parse error (error -1)
>>>  "set" "password" "ENC" "r+p5NxxzUFK6O8a0M3xxMJHqGvtXo6DmO2gcGAWrWXh4Iju2YBcnZYYR5kO+Hk7hcdWZgXHvkjVrWH0FBjklVCoIRQm9BHeY3iG ... @ 3508:vpn.certificate.local.Fortinet_SSL_ECDSA384:value parse error (error -1)
>>>  "set" "passwd" "ENC" "lzGCMBfrodsURT1xCHtj5nq5cSlnXM3zp6Ct2lnp51h8MHZVWtS9YWvLm4853xPPRJ4oXJ4pB+m6FWHkh65wTqg18C/V0t7BksuV4 ... @ 3924:user.local.guest:value parse error (error -1)
>>>  "set" "passwd" "ENC" "cRBllqO+/pVb8WdD68zZ/VjWSDGy8dPLcjdqFlkjsk1FkXj4p8DZDtockrn1GN5SVZ3PRYN75s2DxihBbUK/xeB3BxSqpuDB23BxA ... @ 3929:user.local.user1:value parse error (error -1)
>>>  "set" "psksecret" "ENC" "MjuFtXONDH83enX3ngZfbU5RjIK+x8D20codXMiYrlZQd2sHFG5OcEV37RqaVVJ7qhX+qrGusv9Zc8COfu2grKkKuxRCfx1b+D ... @ 4247:vpn.ipsec.phase1-interface.Alza-KVM36:value parse error (error -1)
>>>  "set" "password" "ENC" "fwAAAG5mb1ysTHs/uN+44m+X7JQkftWaq37M9CNbv4rZIxTJcoJ/NfbH5VCR4pkZefI8/uXhnlKXKKpCZa4b9YQbkd+T2GMkBe9 ... @ 5764:firewall.ssh.local-key.Fortinet_SSH_RSA2048:value parse error (error -1)
>>>  "set" "password" "ENC" "fwAAAK0XE9tZWVVyYj7YYwtmgczJ3Ne2MQ219Zc3V8oyG72zmB0a39ZhbRLES6rv0SrRNI4kxLvC6laqP0uRGJmkHUzSId5WR/b ... @ 5798:firewall.ssh.local-key.Fortinet_SSH_DSA1024:value parse error (error -1)
>>>  "set" "password" "ENC" "fwAAAEoa7GRu/hu3xCusPXdABnhOplM3L6x3muplV+e0kteSYyYYzBMOai5IvBDjkd+/7eHj0h0bvb/2cDRe1Hp/PyYd0cmMDCb ... @ 5825:firewall.ssh.local-key.Fortinet_SSH_ECDSA256:value parse error (error -1)
>>>  "set" "password" "ENC" "AAAAAb1LCwnuHcdxKkzDdvGBPryAfgMkF72Eh5vKPHq7TKidFPYLhpv3oDlFzccu/4gs6PeIoAKI4ZVu5M0PFSZj0xnROnFYXq7 ... @ 5925:firewall.ssh.local-ca.Fortinet_SSH_CA_Untrusted:value parse error (error -1)

In order to restore the configuration on a factory-reset or another FortiGate unit, user will have to set the private key first prior to restoring configuration file.

#Myvi-kvm21 # config system global
Myvi-kvm21 (global) # set private-data-encryption enable
Myvi-kvm21 (global) # end
Please type your private data encryption key (32 hexadecimal numbers):
0123456789abcdef0123456789abcdef
Please re-enter your private data encryption key (32 hexadecimal numbers) again:
0123456789abcdef0123456789abcdef

Private data encryption key is accepted.

After the same private data encryption key being entered, the configuration file can be restore as usual.




Labels:
12012
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.