When you need to troubleshoot a FortiGate firewall, the conversation often goes the same way: "Can you send me your full config?" It's a reasonable ask — your support engineer or a colleague needs to see the complete picture to help. But the complete picture includes everything: VPN tunnel keys, HTTPS inspection certificates, API tokens, admin passwords, and SNMP community strings.
Sharing that config unmodified is exposing all of those secrets at once.
What a FortiGate Config Actually Contains
A full FortiGate configuration dump includes several categories of sensitive data that often get overlooked:
- Admin and user passwords — encrypted in the config, but still sensitive material
- VPN tunnel pre-shared keys — active credentials for site-to-site or client VPN
- HTTPS inspection certificates and private keys — used to decrypt HTTPS traffic
- API tokens — used for automation, third-party integrations, and programmatic access
- DNS forwarding credentials — usernames and passwords for dynamic DNS providers
- Email alert and syslog authentication — passwords for external services
Before and After: What Sanitization Looks Like
Here's a small snippet from a typical FortiGate config before and after sanitization:
--- BEFORE (Raw) ---
config vpn ipsec phase1
edit "site-to-site-main"
set psk "Tunnel@KeySecure#2026"
set peer "203.0.113.5"
next
end
config system admin
edit "backup-admin"
set password "F@rtinet2026"
next
end
--- AFTER (Sanitized) ---
config vpn ipsec phase1
edit "site-to-site-main"
set psk "[VPNKEY_1]"
set peer "203.0.113.5"
next
end
config system admin
edit "backup-admin"
set password "[ADMIN_PASS_1]"
next
end
The tunnel name, peer IP, and structure remain visible. Support engineers can follow the logic without ever seeing the real credentials. The tokens are consistent — if the same password appears multiple times, it gets the same placeholder throughout.
How to Sanitize FortiGate Configs
-
1Export your FortiGate configLog into the FortiGate console. Go to System > System Settings > Configuration and select Download to export the full config file to your machine.
-
2Install ScrubForgeAdd ScrubForge from the Chrome Web Store. Free, no account required. Pin the icon to your browser toolbar.
-
3Paste and sanitizeClick the ScrubForge icon. Copy your exported config and paste it into ScrubForge. It processes the text in your browser and replaces sensitive values with consistent placeholder tokens instantly.
-
4Review the outputScan the sanitized output to confirm no real credentials remain. FortiGate uses many custom formats — always review before sharing, especially for non-standard fields.
-
5Share safelyCopy the sanitized config and paste it into your Fortinet support ticket, vendor email, or AI assistant. Your real credentials stay on your machine.
Why Local Processing Matters
Fortinet support cases are stored in Fortinet's systems indefinitely. Configs pasted into ChatGPT or Claude may be logged and used for model training. A sanitized version gives you the benefit of expert help without exposing active credentials to third-party storage.
ScrubForge processes everything in your browser. Nothing is sent to a server. This is especially important for production firewall configs that contain credentials currently in use across your network.
Sanitize FortiGate configs before you share them
ScrubForge is free to install. Paste your config, strip the credentials locally, and share safely — no upload, no account required.
Install ScrubForge — Free