Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials

Fortinet RegEX help for DEK-Info keys

dstj

Hoping someone can help me with a multiple line regex to omit detecting the following as a change in NCM...

Find more posts tagged with

fortigate_regex_pattern_-----end_rsa_private_key

Accepted answers

pseim

this is what I used to fix that

Dek-info: .*[\t\r\n\v\f]*-----END RSA PRIVATE KEY-----.*

All comments

pseim

this is what I used to fix that

Dek-info: .*[\t\r\n\v\f]*-----END RSA PRIVATE KEY-----.*

dstj

Thank-you for the reply, but unfortunately these are still getting thru.

Would you be able to post your fortinet device template ?...and method of communication (SSH/SSH/TFTP).

Also what version of NCM are you currently running ?

Could the blank line be causing my issues ? (blank line is located just below the dek-info line)

Thanks in advance.

Dave

FormerMember

Were you ever able to figure out a RegEx Key pattern to use to ignore the -----END RSA PRIVATE KEY----- issue you were having. I have the same issue and the patter mentioned above doesn't work me as well.

'Shot of mine' changes all the time so I keep getting a "change" notification and new backup file. Any help would be appreciated.

DEK-Info: DES-EDE3-CBC,72AC492485367CE6

1aRG85+As8ZoRWwYdIDQ4zLGa1BizR7t+55XomWWPaZ35ZXpLhaihTOlrZXUuiDP

qQUWw2nuNGD+rFrT7jlVIULr8wNXPL1jDAFEHLOBH3dBhj8mkSGbg/SevZfcrAjl

XlO+hPZ8OIHVnUXSxsL6Mn5otZPTGVVzC/pWgdvHUo4pcCclxBKCgehQxIwkvFWb

FDdP2kFU/5BYO2acX2dasykd4VpTaKdGy3wWOi8e8OADIjMVd80x2VQczcCCdUms

exP/759rbCmedhW9QC8CYA96nMXjWhnKxnhpEMatSpx42MB2tT3pA7LYnO+Ra7Fu

DG4JsiTN5VlyoimUYr/HGm7o2S0tauhgIVlT7er3cEANzZqUB5r/go9L9Tt3i3SB

IKv4vEhxQCSAEqmJ4m/cvXrAhspZNnR00v0tFd30HyWEUN7/S6Ph1dmjxgepUz1Y

m9rTx8lHCRN+jCgvknvJ77H0U8EInDbdYl1TG9lOrPdVv5VIx8O8fE76+D9t8ZBo

YwRIjGbj5OZ97Ndip9FLFZqXiLmDIdvsHKYJAy6SplSEVh/ZdnFF7DoDCMHHFt2d

/K7uV9p+bMJPGHjKH34LYEemkpCAuWlF3niVqQqzejnyIh5L+7Sk6kK0AskRM6Sc

askr/DQoidFYn4RkNtCUOTbFBplqddOlHmdxFM7f8UCG6CyxPFMQUNyi3m0StVHM

xUDNNeFX4dctl3/H0Otxh5B3qrz+nwa/hLQM3oAsN4Tivt4jojq/nYmSWxzzkMgm

3RGfqaBBU9LJzd8jNquWfDAYAKQI8wwgSCmfQw6eu8NZUuETZCAlOYgyupXUZKPw

al8QSjaHSxpmDPbWtecFBtSuDHj97H+pinaYNjdXPSYBbgz2rU0HYebuMTz6UkZX

UKxrzb8+0rfaWU/OPV150AJv46myDJJvZWVyv+XrUIIHH+3G2StiaFE8viWWCAdR

SXJyoWf1qMfyiJw3jEyfRaxt5T/+yV/vn/DjfhajVT3+U0OQlQEa5lWbBKQr8N4K

sIUos3tkdtSu/V4SOZdBwKGKnTrUSgj/nUtdjPyP0RKpot23zc1jj3y2xOrWoV/k

En2cjwZkmAfzQb3YQ2F8kgkdQUFeXgvvh+wRAk/ifc9vAN2gLVw8R5qqNs3FsMsf

fZzbNVXIb9UocvibhDE/x4Zhwr/ZUJZLFtQpTT6+tcW817Sxiwma+6K9yAxmLYwS

lVZlGFgpH2T/4sL1Sq38zC3iXRMgt/45ieQdo25T+p20nBnwh7fiIdKwjPgw4HsN

ZhKYVJIQVmRuMyy0I1QtfBT420etVmhN/iuKqMpNkpdodU5ydFEDgJok4TiSBxdw

K9enu3cs1O8gTRd46ZXva8wAjALVogwqC5S5DzJphEl8XN+EhTlULsx59uWpKZQ8

awpQGN5Kd3LfmxIjubFbc8XMZpleZGoHmdFS/HXNV0BotA0z2LUqCt4zIO4H5hvY

9R/2OcGW+lglCx6dTJXs7rrQjudOX5OnMZ5UY/rmxczY5Nqh24wUEUYYzg6qcnSX

R2ATpYdRJa+XYDlHNIL3Zg0SIA35raHw1Mxmp5O2RcHP9axRX1ZCmA==

-----END RSA PRIVATE KEY-----"

dstj

Nope, haven't figured it out. Regex mentioned above (as you found out) doesn't work for me either.

Dave

FormerMember

Uggg! Well thank you for your response. I'm going to continue poking around with things for a bit. If I do happen to come up with something I'll be sure to let you know.

Thanks again!

byrona

We were able to use the following to accomplish this successfully...

set private-key "-----BEGIN RSA PRIVATE KEY-----.*[\t\r\n\v\f]*-----END RSA PRIVATE KEY-----.*

FormerMember

byrona

I am confused how any of the above are working without breaking real time detection. The Diff util uses BRE only and it's line by line, there's no multiline matching ever.

Have you guys actually validated you didn't break real time change detection entirely? I just want to ensure people don't see this thread and break stuff in their production environment considering this a closed answer.

Also, you would *most* likely need to use "\S" 64 times in a row since it's BRE and there are 64 non-white space characters per line, if there's no leading space ^\S first then 63 \S

byrona

I can't personally say that it's working. My network team said that is what they used and that it's working as expected. I will ask them to do a double check on it today and will let you know if they indicate that they have found any problems.

FormerMember

byrona No problem, see my edited comments. Honestly, I wouldn't want to try to account for this and I did give my best answer above to the problem. Lastly, the last line is 56 characters, you would need to check multiple keys and ensure it's 64 and 56 only.

Of final note, *IF* you happen to have a 56 or 64 non white space character line outside of this key, it will give a false match and ignore it.

byrona

You are correct, it did break things. I will strike that comment from the books!

byrona

Turns out that didn't work at all.

FormerMember

byrona have you tried, ^\S\S\S\S\S\S\S\S\S\S\S\S\S\S\S\S\S\S\S\S\S\S\S\S\S etc, for 64 and 56 occurrences? It may work as nothing else is changing, you will also need the Dek-info:.* as well.

Keep in mind when you do this stuff in production, you will impact real time change detection.

brian_duvall

This is old post but I am running into same issue with the DEK-info section of the fortinet and can't figure out the regex to make the multiple line match work. The provided "correct answer" doesn't work and it is causing this backup to flag as changed every time I perform my scheduled backup job.

Any help would be great.

cvachovecj

Hi,

Could you show us on a screenshot how that section looks for you?

E.g. there might be whitespace on the line before "Dek-info". In that case, you should use

[\t\r\n\v\f]*Dek-info: .*[\t\r\n\v\f]*-----END RSA PRIVATE KEY-----.*

Just an idea...

Jiri

brian_duvall

This is what the sections look like:

DEK-Info: DES-EDE3-CBC,F5B0591EE16378FB

DLDciEZy4qZFZf5Zd5q7HxXuNKgf3ODED+n6pOO6Uk7vdHP9t3ua3uNZiWoAPwqs

MrghIYtDQqz0GpZzHY0OJLbSUGIYPM12CQKovdF5ZNSdpIiW9mKIn9fFdnFPWICk

25uA1QXrq0nVIn7GWHrON6Y67RvAmP+u7vj5muOLpvqdIyQvlJp1nY2Q4YCBEfIx

T4I1fSrxiCT/RQ/ULd0PHyHUonZvy+6ATutE3QDaYEQVo6dwKIZinBzoA++F8w+X

6iERs/mIUW8KBKyj4uJpMTzh1XigrYaDcFWVjgtd9p+EidXyk3izJmijMa3PC57Q

cqcs7D513XEdejOyR+k2r1CPRBMozRjYmfaPRC/D0YuN0moVQPD6b+xthrQsUwLc

+zIHa8vX3Bh9diisNlJVW9ZaG/9ELXoqp19NCI4qQPFEruSR9PZ3VecydH1IggxP

SmAoYl0Trwbu1YYlR8Md7ZFhHhgmO/5/k7rC0fuacl9lNi4CUUW4adMmukeIccAe

MkXfxSoPWUVr/ULKWQ9SpUuVGWfeDCpY4ywmEblVgnHsTW69gvvWxGuNv6z4ampR

IS5JPz53n4w2IhZqR4J4mm1UiaYtKYzdwURCiG3tcD3PUTsewkkx98A/fNbhQ3HF

qXatgzf5n3UnFmeSHfZhyNXb+Q+vv+OjjEtyuMiii5k9hLEDD0JuV5k0AoPcxv/h

211HfIVWNlNsCqBI3eymw8BZyvelEtC3TSB/AmDj0QEdPRQs+8d3v9ZJHKSiJmeK

svQeboRXAM75Zq65lYMBIJeEw0DM1zq6nqkxLpr0+0k=

-----END RSA PRIVATE KEY-----"

From what I see each line is viewed as a separately changed line in NCM. Meaning its not viewing this entire section as one line.

So I wrote the following Comparison Criteria exclusions:

^DEK.*

^\S\S\S\S\S\S\S\S\S\S\S\S\S\S\S\S\S\S\S\S\S\S\S\S\S\S\S\S\S\S\S\S\S\S\S\S\S\S\S\S.*

This should have excluded any lines that start with DEK as well as any line in configurations that start with 40 or more non-whitespace characters. However every time I back up the device it reports all the sections that start with DEK-Info line have changed.