[Fixed in 2.0.1] FortiOS MD5 key detected as change

Unimus support forum
Post Reply
ccummings-coeur
Posts: 5
Joined: Mon May 18, 2020 4:08 pm

Mon May 18, 2020 4:41 pm

Hello All,

I am new to Unimus (Brought here by The Network Collective!) and apologize if this should be directed elsewhere. I am setting up our Fortinet firewalls to be backed up, which is working swimmingly. Compared to Oxidized, this has been pure bliss! I have run into one issue where the MD5 key for OSPF on an interface is being triggered as a device change, thus sending out alerts every time that the backup is run. This looks like it is due to how Fortinet encrypts the password on the box, as they seem to re-encrypt the secrets in the config very frequently, however, this only appears to be happening for this one device, and this one line, leading me to suspect that whatever code ignores password changes on FortiOS is working very well except for this specific line. I have attached a screenshot showing the change:
unimus_FortiOS_MD5-min.png
unimus_FortiOS_MD5-min.png (80.16 KiB) Viewed 3711 times
Does anyone know of how I can go about getting this line not detected as a change?

Thank You!
User avatar
Tomas
Posts: 1206
Joined: Sat Jun 25, 2016 12:33 pm

Tue May 19, 2020 12:51 am

Hi,

FortiOS is a constant battle, and we have released many fixes over multiple previous versions to get Unimus to ignore all the things FortiOS changes on each backup run.

Thank you for the screenshots, those help a bunch to add filters for these false dynamic change notifications.
We will make sure to add filtering to ignore the OSPF md5 key in the 2.0.1 release.
ccummings-coeur
Posts: 5
Joined: Mon May 18, 2020 4:08 pm

Tue May 19, 2020 8:01 pm

Thank you Tomas, I understand how challenging FortiOS can be—I tried working with it in Oxidized for an entire week straight before giving up entirely.

Do you think it would be possible to keep backing up a device but mute specific notifications for the device (e.g. keep backing up this device, but don't alert on changes for it?) This might be helpful for these devices that can be troublesome. I would imagine that this would be similar to the "Do not manage this device" function.

Many thanks!
Post Reply