Tuesday, April 28, 2020

Backup

In this blog we will take some backups via cli on the Fortigate and then do a restore.

 We will try with FTP/TFTP and SCP.

 First lets see what options we have with the execute backup command.

FG1 # execute backup
config           config
disk             disk
full-config      full-config
ipsuserdefsig    ipsuserdefsig
memory           memory

FG1 #

The backup server in all tests will be a Lubuntu on 192.168.100.220.

1) FTP

FG1 # execute backup config ftp FG1_200427FTP 192.168.100.220:21 ftpuser ftpuser
Please wait...

Connect to ftp server 192.168.100.220:21 ...
Send config file to ftp server OK.

FG1 #

Check for the file:



2) TFTP

FG1 # execute backup config tftp FG1_200427TFTP 192.168.100.220
Please wait...
Connect to tftp server 192.168.100.220 ...
#
Send config file to tftp server OK.

FG1 # 

Check for the file:  



3) SCP

We need to make sure of 2 things first

a) Make sure SSH is enabled in "allowaccess" for the interface you want to use to send receive the SCP session.

FG1 # sh system interface port2
config system interface
    edit "port2"
        set vdom "root"
        set ip 192.168.100.10 255.255.255.0
        set allowaccess ping https ssh http
        set type physical
        set snmp-index 2
    next
end

b) Enable SCP global config.

FG1 # show system global
config system global
    set admin-https-ssl-versions tlsv1-2
    set admin-scp enable
    set alias "FortiGate-VM64"
    set hostname "FG1"
    set timezone 65
end

FG1 # 

If you dont have SCP enabled in global config and you try an SCP backup, this will be the result:

With SCP enabled the SCP backup works (Pull from the Fortigate).
4) RESTORE

Lets say we RMA'd a unit or need to restore a config in a fresh unit.
What's the minimum we need to configure on a console before we can attempt a full restore via SCP?
 
The minimum is just enable SSH and give it its IP on the interface you will SCP to (Assuming the Forti has a route to the SCP server. If not you will need to add a route for that as well).

config system interface
    edit "port2"
    set ip 192.168.100.10 255.255.255.0
        set allowaccess ssh
end

config system global
    set admin-scp enable
end

The restore:


And can confirm after that the config is 100% restored correctly on the Forti at least in regards basic config elements such as rules, objects, DHCP etc. 


FG1 # get system status | grep Version
Version: FortiGate-VM64 v6.2.3,build1066,191218 (GA)
Release Version Information: GA

Posted by at

No comments:

New comments are not allowed.

Subscribe to: Post Comments (Atom)