fortios: remove ENC passwords from significant changes

Address issue #3176 and partly #3680
Remove the \n in pre_logout "exit\n", as \n is already added by oxidized and this collides with the unit test.
Add a YAML Simulation file for fortios and unit tests

Author: robertcheramy

CHANGELOG.md

@@ -12,7 +12,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
 ### Changed
 - Refactored models: Use `keep_lines` and `reject_lines` in aosw, arubainstant, asa, efos, firelinuxos, fsos, ironware, mlnxos and perle to (@robertcheramy)
-- Modified models to support store mode on significant changes: ios (@robertcheramy)
+- Modified models to support store mode on significant changes: ios, fortios (@robertcheramy)
 
 ### Fixed
 - apc_aos: set comment to "; " to match comments in config.ini (@robertcheramy)

lib/oxidized/model/fortios.rb

@@ -108,12 +108,18 @@ class FortiOS < Oxidized::Model
     cfg.join
   end
 
+  cmd :significant_changes do |cfg|
+    cfg.reject_lines [
+      /^ +set \S+ ENC \S+$/
+    ]
+  end
+
   cfg :telnet do
     username /^[lL]ogin:/
     password /^Password:/
   end
 
   cfg :telnet, :ssh do
-    pre_logout "exit\n"
+    pre_logout "exit"
   end
 end

spec/model/data/fortios#FortiGate-91G_7.4.7#output.txt

@@ -0,0 +1,132 @@
+# # COMMAND: get system status
+# Version: FortiGate-91G v7.4.7,build2731,250120 (GA.M)
+# First GA patch build date: 230509
+# Security Level: High
+# Firmware Signature: certified
+# Virus-DB <db version stripped>
+# Extended DB <db version stripped>
+# AV AI/ML Model <db version stripped>
+# IPS-DB <db version stripped>
+# IPS-ETDB <db version stripped>
+# APP-DB <db version stripped>
+# Proxy-IPS-DB <db version stripped>
+# Proxy-IPS-ETDB <db version stripped>
+# Proxy-APP-DB <db version stripped>
+# FMWP-DB <db version stripped>
+# IPS Malicious URL Database <db version stripped>
+# IoT-Detect <db version stripped>
+# OT-Detect-DB: 0.00000(2001-01-01 00:00)
+# OT-Patch-DB: 0.00000(2001-01-01 00:00)
+# OT-Threat-DB: 6.00741(2015-12-01 02:30)
+# IPS-Engine: 7.00559(2024-12-05 01:06)
+# Serial-Number: FGT91GTK00000000
+# BIOS version: 06000100
+#          System Part-Number: P28792-06
+# Log hard disk: Available
+# Hostname: TEST-FW1234
+# Private Encryption: Disable
+# Operation Mode: NAT
+# Current virtual domain: root
+# Max number of virtual domains: 10
+# Virtual domains status: 1 in NAT mode, 0 in TP mode
+# Virtual domain configuration: disable
+# FIPS-CC mode: disable
+# Current HA mode: standalone
+# Branch point: 2731
+# Release Version Information: GA
+# System time: <stripped>
+# Last reboot reason: warm reboot
+# 
+# # COMMAND: get system ha status
+# HA Health Status: OK
+# Model: FortiGate-91G
+# Mode: Standalone
+# # COMMAND: get hardware status
+# Model name: FortiGate-91G
+# ASIC version: SOC5
+# CPU: ARMv8
+# Number of CPUs: 8
+# RAM: 7547 MB
+# EMMC: 9982 MB(MLC) /dev/mmcblk0
+# Hard disk: 114473 MB /dev/nvme0n1
+# USB Flash: not available
+# Network Card chipset: FortiASIC NP7LITE Adapter (rev.)
+# Hardware Revision: Rev1
+# 
+# COMMAND: show | grep .
+#config-version=FGT91G-7.4.7-FW-build2731-250120:opmode=1:vdom=0:user=TACACS-USER
+#conf_file_ver=<stripped>
+#buildno=2731
+#global_vdom=1
+config system global
+    set admin-restrict-local enable
+    set alias "FortiGate-91G"
+    set hostname "TEST-FW1234"
+    set lldp-reception enable
+    set lldp-transmission enable
+    set switch-controller enable
+    set timezone "Europe/Berlin"
+    set virtual-switch-vlan enable
+end
+config system interface
+    edit "wan1"
+        set vdom "root"
+        set ip 192.0.2.2 255.255.255.240
+        set allowaccess ping https ssh snmp http fgfm ftm
+        set type physical
+        set alias "outside"
+        set monitor-bandwidth enable
+        set role wan
+        set snmp-index 1
+        set speed 10000auto
+    next
+end
+config system admin
+    edit "oxidized"
+        set trusthost1 192.0.2.0 255.255.255.0
+        set accprofile "super_admin"
+        set vdom "root"
+        set password ENC AAAAAAAAAABBBBBBBBBBCCCCCCCCCC
+    next
+end
+config system snmp user
+    edit "snmpuser"
+        set notify-hosts 192.0.2.10 192.0.2.11
+        set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ips-signature av-virus av-oversize av-pattern av-fragmented fm-if-change av-conserve av-bypass av-oversize-passed av-oversize-blocked ips-pkg-update ips-fail-open temperature-high voltage-alert faz-disconnect device-new per-cpu-high
+        set security-level auth-priv
+        set auth-pwd ENC AAAAAAAAAABBBBBBBBBBCCCCCCCCCC
+        set priv-pwd ENC AAAAAAAAAABBBBBBBBBBCCCCCCCCCC
+    next
+end
+config vpn certificate local
+    edit "Fortinet_CA_SSL"
+        set password ENC AAAAAAAAAABBBBBBBBBBCCCCCCCCCC
+        set comments "This is the default CA certificate the SSL Inspection will use when generating new server certificates."
+        set range global
+        set source factory
+    next
+  end
+config user tacacs+
+    edit "tacacs-server-name"
+        set server "192.0.2.19"
+        set secondary-server "192.0.2.20"
+        set key ENC AAAAAAAAAABBBBBBBBBBCCCCCCCCCC
+        set secondary-key ENC AAAAAAAAAABBBBBBBBBBCCCCCCCCCC
+        set authorization enable
+    next
+end
+config firewall ssh local-key
+    edit "Fortinet_SSH_RSA2048"
+        set password ENC AAAAAAAAAABBBBBBBBBBCCCCCCCCCC
+        set source built-in
+    next
+end
+config firewall ssh local-ca
+    edit "Fortinet_SSH_CA"
+        set password ENC AAAAAAAAAABBBBBBBBBBCCCCCCCCCC
+        set source built-in
+    next
+end
+config router multicast
+end
+

spec/model/data/fortios#FortiGate-91G_7.4.7#secret.yaml

@@ -0,0 +1,2 @@
+fail:
+  - 'AAAAAAAAAABBBBBBBBBBCCCCCCCCCC'

spec/model/data/fortios#FortiGate-91G_7.4.7#significant_changes.yaml

@@ -0,0 +1,2 @@
+fail:
+ - 'ENC AAAAAAAAAABBBBBBBBBBCCCCCCCCCC'

spec/model/data/fortios#FortiGate-91G_7.4.7#simulation.yaml

@@ -0,0 +1,160 @@
+---
+init_prompt: |-
+    TEST-FW1234 #\x20
+commands:
+  - "get system status\n": |-
+      get system status\r
+      Version: FortiGate-91G v7.4.7,build2731,250120 (GA.M)
+      First GA patch build date: 230509
+      Security Level: High
+      Firmware Signature: certified
+      Virus-DB: 1.00000(2018-04-09 18:07)
+      Extended DB: 1.00000(2018-04-09 18:07)
+      AV AI/ML Model: 0.00000(2001-01-01 00:00)
+      IPS-DB: 6.00741(2015-12-01 02:30)
+      IPS-ETDB: 0.00000(2001-01-01 00:00)
+      APP-DB: 6.00741(2015-12-01 02:30)
+      Proxy-IPS-DB: 6.00741(2015-12-01 02:30)
+      Proxy-IPS-ETDB: 0.00000(2001-01-01 00:00)
+      Proxy-APP-DB: 6.00741(2015-12-01 02:30)
+      FMWP-DB: 25.00121(2025-12-16 08:01)
+      IPS Malicious URL Database: 1.00001(2015-01-01 01:01)
+      IoT-Detect: 0.00000(2022-08-17 17:31)
+      OT-Detect-DB: 0.00000(2001-01-01 00:00)
+      OT-Patch-DB: 0.00000(2001-01-01 00:00)
+      OT-Threat-DB: 6.00741(2015-12-01 02:30)
+      IPS-Engine: 7.00559(2024-12-05 01:06)
+      Serial-Number: FGT91GTK00000000
+      BIOS version: 06000100
+      --More--\x20
+  - " ": |-
+      \r         \rSystem Part-Number: P28792-06
+      Log hard disk: Available
+      Hostname: TEST-FW1234
+      Private Encryption: Disable
+      Operation Mode: NAT
+      Current virtual domain: root
+      Max number of virtual domains: 10
+      Virtual domains status: 1 in NAT mode, 0 in TP mode
+      Virtual domain configuration: disable
+      FIPS-CC mode: disable
+      Current HA mode: standalone
+      Branch point: 2731
+      Release Version Information: GA
+      System time: Wed Jan  7 14:30:09 2026
+      Last reboot reason: warm reboot
+      
+      TEST-FW1234 #\x20
+  - "get system ha status\n": |-
+      get system ha status\r
+      HA Health Status: OK
+      Model: FortiGate-91G
+      Mode: Standalone
+      Group Name:\x20
+      Group ID: 0
+      Debug: 0
+      Cluster Uptime: 0 days 0h:0m:0s
+      Cluster state change time: N/A
+      ses_pickup: disable
+      override: disable
+      System Usage stats:
+      HBDEV stats:
+      number of member: 0
+      number of vcluster: 0
+      
+      TEST-FW1234 #\x20
+  - "get hardware status\n": |-
+      get hardware status\r
+      Model name: FortiGate-91G
+      ASIC version: SOC5
+      CPU: ARMv8
+      Number of CPUs: 8
+      RAM: 7547 MB
+      EMMC: 9982 MB(MLC) /dev/mmcblk0
+      Hard disk: 114473 MB /dev/nvme0n1
+      USB Flash: not available
+      Network Card chipset: FortiASIC NP7LITE Adapter (rev.)
+      Hardware Revision: Rev1
+      
+      TEST-FW1234 #\x20
+  - "show | grep .\n": |-
+      show | grep .\r
+      #config-version=FGT91G-7.4.7-FW-build2731-250120:opmode=1:vdom=0:user=TACACS-USER
+      #conf_file_ver=440000000000001
+      #buildno=2731
+      #global_vdom=1
+      config system global
+          set admin-restrict-local enable
+          set alias \"FortiGate-91G\"
+          set hostname \"TEST-FW1234\"
+          set lldp-reception enable
+          set lldp-transmission enable
+          set switch-controller enable
+          set timezone \"Europe/Berlin\"
+          set virtual-switch-vlan enable
+      end
+      config system interface
+          edit \"wan1\"
+              set vdom \"root\"
+              set ip 192.0.2.2 255.255.255.240
+              set allowaccess ping https ssh snmp http fgfm ftm
+              set type physical
+              set alias \"outside\"
+              set monitor-bandwidth enable
+              set role wan
+              set snmp-index 1
+              set speed 10000auto
+          next
+      end
+      config system admin
+          edit \"oxidized\"
+              set trusthost1 192.0.2.0 255.255.255.0
+              set accprofile \"super_admin\"
+              set vdom \"root\"
+              set password ENC AAAAAAAAAABBBBBBBBBBCCCCCCCCCC
+          next
+      end
+      config system snmp user
+          edit \"snmpuser\"
+              set notify-hosts 192.0.2.10 192.0.2.11
+              set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ips-signature av-virus av-oversize av-pattern av-fragmented fm-if-change av-conserve av-bypass av-oversize-passed av-oversize-blocked ips-pkg-update ips-fail-open temperature-high voltage-alert faz-disconnect device-new per-cpu-high
+              set security-level auth-priv
+              set auth-pwd ENC AAAAAAAAAABBBBBBBBBBCCCCCCCCCC
+              set priv-pwd ENC AAAAAAAAAABBBBBBBBBBCCCCCCCCCC
+          next
+      end
+      config vpn certificate local
+          edit \"Fortinet_CA_SSL\"
+              set password ENC AAAAAAAAAABBBBBBBBBBCCCCCCCCCC
+              set comments \"This is the default CA certificate the SSL Inspection will use when generating new server certificates.\"
+              set range global
+              set source factory
+          next
+        end
+      config user tacacs+
+          edit \"tacacs-server-name\"
+              set server \"192.0.2.19\"
+              set secondary-server \"192.0.2.20\"
+              set key ENC AAAAAAAAAABBBBBBBBBBCCCCCCCCCC
+              set secondary-key ENC AAAAAAAAAABBBBBBBBBBCCCCCCCCCC
+              set authorization enable
+          next
+      end
+      config firewall ssh local-key
+          edit \"Fortinet_SSH_RSA2048\"
+              set password ENC AAAAAAAAAABBBBBBBBBBCCCCCCCCCC
+              set source built-in
+          next
+      end
+      config firewall ssh local-ca
+          edit \"Fortinet_SSH_CA\"
+              set password ENC AAAAAAAAAABBBBBBBBBBCCCCCCCCCC
+              set source built-in
+          next
+      end
+      config router multicast
+      end
+      
+      TEST-FW1234 #\x20
+  - "exit\n": |-
+      exit\r