When you need to troubleshoot a FortiGate firewall, the conversation often goes the same way: "Can you send me your full config?" It's a reasonable ask — your support engineer or a colleague needs to see the complete picture to help. But the complete picture includes everything: VPN tunnel keys, HTTPS inspection certificates, API tokens, admin passwords, and SNMP community strings.

Sharing that config unmodified is exposing all of those secrets at once.

What a FortiGate Config Actually Contains

A full FortiGate configuration dump includes several categories of sensitive data that often get overlooked:

Before and After: What Sanitization Looks Like

Here's a small snippet from a typical FortiGate config before and after sanitization:

--- BEFORE (Raw) ---
config vpn ipsec phase1
    edit "site-to-site-main"
        set psk "Tunnel@KeySecure#2026"
        set peer "203.0.113.5"
    next
end

config system admin
    edit "backup-admin"
        set password "F@rtinet2026"
    next
end

--- AFTER (Sanitized) ---
config vpn ipsec phase1
    edit "site-to-site-main"
        set psk "[VPNKEY_1]"
        set peer "203.0.113.5"
    next
end

config system admin
    edit "backup-admin"
        set password "[ADMIN_PASS_1]"
    next
end

The tunnel name, peer IP, and structure remain visible. Support engineers can follow the logic without ever seeing the real credentials. The tokens are consistent — if the same password appears multiple times, it gets the same placeholder throughout.

How to Sanitize FortiGate Configs

  1. 1
    Export your FortiGate config
    Log into the FortiGate console. Go to System > System Settings > Configuration and select Download to export the full config file to your machine.
  2. 2
    Install ScrubForge
    Add ScrubForge from the Chrome Web Store. Free, no account required. Pin the icon to your browser toolbar.
  3. 3
    Paste and sanitize
    Click the ScrubForge icon. Copy your exported config and paste it into ScrubForge. It processes the text in your browser and replaces sensitive values with consistent placeholder tokens instantly.
  4. 4
    Review the output
    Scan the sanitized output to confirm no real credentials remain. FortiGate uses many custom formats — always review before sharing, especially for non-standard fields.
  5. 5
    Share safely
    Copy the sanitized config and paste it into your Fortinet support ticket, vendor email, or AI assistant. Your real credentials stay on your machine.

Why Local Processing Matters

Fortinet support cases are stored in Fortinet's systems indefinitely. Configs pasted into ChatGPT or Claude may be logged and used for model training. A sanitized version gives you the benefit of expert help without exposing active credentials to third-party storage.

ScrubForge processes everything in your browser. Nothing is sent to a server. This is especially important for production firewall configs that contain credentials currently in use across your network.

Sanitize FortiGate configs before you share them

ScrubForge is free to install. Paste your config, strip the credentials locally, and share safely — no upload, no account required.

Install ScrubForge — Free