AnsweredHot!Automated Full-config backups

Page: 12 > Showing page 1 of 2
Author
ilucas
New Member
  • Total Posts : 11
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/07/04 16:05:09
  • Location: Memphis, TN
  • Status: offline
2014/11/17 08:08:40 (permalink)
0

Automated Full-config backups

We would like to be able to scheduled automated full-config backups to be offloaded to an FTP server. I know the fortimanager has backup capabilities of configs for its registered devices but we do not really need a full central management system (though it would be nice).
I'm wondering if anyone has used other solutions/workarounds to make this happen. I believe FortiMail or FortiWeb devices have a scheduled backup that can be run, but not FortiGate.
 
Thank you,
 
Ian
#1
Dave Hall
Expert Member
  • Total Posts : 1290
  • Scores: 126
  • Reward points: 0
  • Joined: 2012/05/11 07:55:58
  • Location: Canada
  • Status: online
Re: Automated Full-config backups 2014/11/17 08:51:36 (permalink) ☼ Best Answerby ilucas 2014/11/17 10:13:34
0
See emnoc's post about scp or search link at the top of this page.

NSE4/FMG-VM64/FortiAnalyzer-VM/5.2/5.4 (FWF40C/FW92D/FGT200B/FGT200D/FGT101E)/ FAP220B/221C
#2
TechnoR05
Bronze Member
  • Total Posts : 29
  • Scores: 0
  • Reward points: 0
  • Joined: 2012/11/30 06:08:08
  • Status: offline
Re: Automated Full-config backups 2014/11/17 10:25:57 (permalink) ☄ Helpfulby robsonlupo 2017/03/24 11:39:43
0
Hello,
 
We use putty run from the tftp server.
It's not the best security, also it is TFTP and all plain-text, but we have a task scheduled that does a backup every day of each vdom and also a full backup.
It's something like this :
the task runs a .bat file calling putty and login info :
C:\Putty.exe -ssh <Fortigate IP> -l <UserLoginName> -pw <UserPassword> -m C:\BackupGlobal.txt
And the txt files are similar to :
config global
exe backup config tftp <Filename> <ServerIP>
end
exit
- -
Does what we need, you could probably build from there.
 
Regards
#3
ilucas
New Member
  • Total Posts : 11
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/07/04 16:05:09
  • Location: Memphis, TN
  • Status: offline
Re: Automated Full-config backups 2014/11/17 10:28:44 (permalink)
0
Thanks! Likely, I would make a read-only account for this and allow as little as possible. I will also see about using the SCP option or a secured FTP option rather than TFTP, but this is helpful.
 
 
TechnoR05
Hello,
 
We use putty run from the tftp server.
It's not the best security, also it is TFTP and all plain-text, but we have a task scheduled that does a backup every day of each vdom and also a full backup.
It's something like this :
the task runs a .bat file calling putty and login info :
C:\Putty.exe -ssh <Fortigate IP> -l <UserLoginName> -pw <UserPassword> -m C:\BackupGlobal.txt
And the txt files are similar to :
config global
exe backup config tftp <Filename> <ServerIP>
end
exit
- -
Does what we need, you could probably build from there.
 
Regards





----
FG 200B/30D/60D/80D/100D/200D/300D
FE 200D
#4
adikad
New Member
  • Total Posts : 1
  • Scores: 2
  • Reward points: 0
  • Joined: 2016/01/27 01:48:28
  • Status: offline
Re: Automated Full-config backups 2016/01/27 01:52:10 (permalink) ☄ Helpfulby marc10k 2016/02/24 06:34:19
5 (1)
with new FortiOS5.4 you can now have a scheduled auto config backup !
config system auto-script
edit "backup"
set interval (secs)
set repeat ()
set start auto
set script "execute backup config tftp config.txt x.x.x.x"
next
end 
cheers
ã
#5
chimera
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/02/16 16:57:03
  • Status: offline
Re: Automated Full-config backups 2016/02/16 17:38:43 (permalink)
0
Here's an alternate option for you...  
 
I have a number of clients with Fortigate firewalls and needed an easy way for them to all be automatically backed up on a weekly basis.  I wrote an AutoIT script (www.autoitscript.com) that, if you have any form of coding experience, you can alter and compile to an executable for your own needs.  It does require a few minor prerequisites to get going, but runs very well for me.  It utilises plink.exe (part of the PuTTY suite as someone mentioned above) to obtain the config (it will automatically download plink.exe if it doesn't exist)
 
Basically it works like this:
 
1. I setup an FTP server at my own premises and then configured a VIP/policy on my own Fortigate firewall, restricting FTP inbound from the public IP address of my clients Fortigate's only.
 
2. At each clients site, I copied the compiled ftpconf.exe to one of their local servers (generally their domain controller) saving it under C:\Backup then created a scheduled task in Windows to run it every Friday night around 10 pm (make sure you choose to run even if the user isn't logged in)
 
3. I then created an "ftpconf" account on the clients Fortigate with the same password, but restrict logons to that account from the IP address of the server that ftpconf.exe runs from.  That user is also a member of a new "ReadOnly" Admin Profile you will need to create, which has read only permissions for all Access Controls EXCEPT for 'Maintenance' where it requires read/write (for some reason, it wouldn't backup the entire config without this as read/write - possibly a bug?) Also ensure SSH is open on the internal (LAN side) interface.
 
4. I then created an FTP account on my own FTP server which is inside the compiled ftpconf script (yes I'm aware that AutoIT executables can be reverse compiled, but there is enough security above for me not to worry about it)
 
You can download the sample script from here:
 
http://www.chimera.co.nz/fortigate/ftpconf.au3
 
You need to change the following lines at the top of the code to reflect your setup.  
 
; Fortigate variables
Global Const $FortigateUSER = "ftpconf"
Global Const $FortigatePASS = "ftpconf"
 
; FTP variables
Global Const $FTPPATH = "/fwconfigs/"
Global Const $FTPSERVER = "ftp.myserver.co.nz"
Global Const $FTPUSER = "ftpuser"
Global Const $FTPPASS = "ftppassword"
 
So for example, using the above constants as an example, it will locally connect to their own Fortigate using the default IP address of the machine the executable is run from (or you can override this passing the IP of the Fortigate as a parameter to ftpconf.exe, eg: ftpconf 192.168.1.254) and logging on with the username 'ftpconf' and password 'ftpconf'. It then FTP's its configuration to ftp.myserver.co.nz/fwconfigs/DOMAIN (where 'DOMAIN' is the Active Directory domain name or the PC name if in a workgroup) using 'ftpuser' as username and 'ftppassword' as the password (change to suit your needs)  The FTP path also needs to exist on the FTP server first (so for example, manually create /fwconfigs/DOMAIN)  It will create a backup file of the config in a format that includes the date that ftpconf.exe was run (so you can have multiple revisions of the config for audit purposes)
 
It will log all output (to the same folder that ftpconf.exe is in) to a file 'ftpconf.log' - for example, looks like this:
 
01/22/2016 10:00:00 - BEGIN SCRIPT
Scanning Registry for Gateway IP address
Connecting to Gateway IP Address 192.168.x.x
=== SUCCESS ===
exec backup config ftp /fwconfigs/JAMES/fwbackup-SERVER-2016-01-22.conf ftp.myserver.co.nz username_hidden password_hidden
Please wait...
Please wait...
Connect to ftp server ftp.myserver.co.nz ...
Send config file to ftp server OK.
Setting timestamp
FORTIGATE $
*****************************************************************************************
01/29/2016 10:00:08 - BEGIN SCRIPT
Scanning Registry for Gateway IP address
Connecting to Gateway IP Address 192.168.x.x
=== FAILED ===
Connection Timed Out
 
(the latter output shown above is because I'd accidentally disabled ssh on the internal LAN interface!)
 
I've added plenty of error handling in to it, let me know if there are any issues though.  I will point out that I did take the "ReadData" function code from another poster on the AutoIT web site, so can't take credit for that part :-)
 
Hope this helps.
 
 
post edited by chimera - 2016/02/16 17:47:10
#6
mkunext
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/02/17 00:46:48
  • Status: offline
Re: Automated Full-config backups 2016/02/17 01:01:25 (permalink)
0
Hello,
 
i recently set up a centralized configuration management server that handles our periodic full-config backups (of Fortigate, Cisco etc.). I chose rConfig. It needs to run on a dedicated CentOS Server (i chose a small VM for that), and it takes about 1-2h hours to prep everything, but once you've got everything running it's great, because rConfig also offers integrated config DIFF, so you can easily check for changes and generate reports or check them against rules.
 
Might be a bit overkill for your current task, but if you have more than one device, you might want to give it a try (it's free). If you do so, please note, that in the current build you need to apply a workaround to get it to work with fortios: when adding a device, insert \s into the 'Prompt' Field, for every whitespace in your ssh-shell prompt. Check the rConfig forum, theres more info on that.
 
tl;dr I use rConfig on a dedicated server, works great and supports config diff and other vendors as well.
#7
marc10k
New Member
  • Total Posts : 16
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/01/19 22:47:34
  • Status: offline
Re: Automated Full-config backups 2016/02/24 06:57:14 (permalink)
0
Hello 
 
The auto-script from adikad works nicely in my enviroment. But when I try to upload the data via TFTP into a specific foldes it stops working. For example:
execute backup config tftp config.txt 192.168.0.1/backup
 
It does not work and gives me an error message "unknown host". But when I use another computer and transfer data via TFTP it does work. Is there a workaround on the Fortigate side?
I know that in the CLI handbook only an IP is mentioned and not another directory.
 
Marcus
post edited by marc10k - 2016/02/24 06:58:23
#8
ede_pfau
Expert Member
  • Total Posts : 5753
  • Scores: 397
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: Automated Full-config backups 2016/02/24 07:43:44 (permalink)
0
Exactly. Try without folder name. This is Tftp, T=trivial.

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#9
marc10k
New Member
  • Total Posts : 16
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/01/19 22:47:34
  • Status: offline
Re: Automated Full-config backups 2016/02/24 07:59:04 (permalink)
0
I have recently changed to a Fortinet router from another manufacturer and at the moment I am in the process of copying the functionality from the old one into the new one. With the old one it did work. As I am not so deep into tftp I do not see the problem why it should not work in general. It might be that the FortiOS does not have this functionality. 
Another solution would be to change the settings in the tftp server, but this involves more than just the single change...
 
Marcus
#10
ede_pfau
Expert Member
  • Total Posts : 5753
  • Scores: 397
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: Automated Full-config backups 2016/02/24 09:50:02 (permalink)
0
I think the way TFTP is implemented in FortiOS it's limited. Have you considered SCP for automated backups?

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#11
marc10k
New Member
  • Total Posts : 16
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/01/19 22:47:34
  • Status: offline
Re: Automated Full-config backups 2016/02/26 03:13:49 (permalink)
0
SCP is off course on option. Unfortunately changing this involves more than just a modification on the tftp server to accept scp. The Fortinet and its predecessor are installed in a lot of similar installations of an industrial application and changes involve also its documentation and more...
#12
JohnAgora
Silver Member
  • Total Posts : 94
  • Scores: 7
  • Reward points: 0
  • Joined: 2015/10/14 11:43:36
  • Status: offline
Re: Automated Full-config backups 2016/03/18 15:37:47 (permalink)
0
Any ideas on how to debug the backup (ftp) process? I'm having problems
#13
marc10k
New Member
  • Total Posts : 16
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/01/19 22:47:34
  • Status: offline
Re: Automated Full-config backups 2016/03/20 23:21:35 (permalink)
0
Hello John
Depending on who starts the FTP session I would start looking at blocked FTP ports or the FTP session helperin the router? Is it in place and if you use another port for FTP you might have to implement a new one. Wireshark might help to see what is going on during the negotiation. Also the build in diagnose tools in the CLI are of good help. 
From my experience the most problems with FTP occur due to a blocked or not opening port. 
#14
JohnAgora
Silver Member
  • Total Posts : 94
  • Scores: 7
  • Reward points: 0
  • Joined: 2015/10/14 11:43:36
  • Status: offline
Re: Automated Full-config backups 2016/03/20 23:37:19 (permalink)
0
You were right. It was related to ports.
Anyhow I couldn't make an efficient diagnostic on the Fortigate.
I used a FortiManager and debug there (execute backup ...; diagnose debug application curl -1), then I run the backups on the Fortigate.
 
Thanks!
#15
JohnAgora
Silver Member
  • Total Posts : 94
  • Scores: 7
  • Reward points: 0
  • Joined: 2015/10/14 11:43:36
  • Status: offline
Re: Automated Full-config backups 2016/03/28 10:46:50 (permalink)
0
It is weird, last week it worked anyhow now I can't make it work.
Any idea on how to debug the backup process on a Fortigate.
On the FortiManager it works fine.
The message I get is:
Please wait...
 
Connect to ftp server t.backups.domain.com ...
Send config file to ftp server via vdom root failed.
Command fail. Return code 5
 
Any idea?
 
Thanks!
#16
Aigarz
Bronze Member
  • Total Posts : 22
  • Scores: 0
  • Reward points: 0
  • Joined: 2012/06/13 12:23:53
  • Status: offline
Re: Automated Full-config backups 2016/08/20 10:12:13 (permalink)
0
adikad
with new FortiOS5.4 you can now have a scheduled auto config backup !
<ommitted>



Is it possible to run script only upon configuration changes or revision saves.
This would make more sense if there are units with occasional changes.
#17
ytlpsnet
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/01/17 19:51:38
  • Status: offline
Re: Automated Full-config backups 2016/08/28 18:07:00 (permalink)
0
use a linux server, then config a script to schedule backup as below:
 
#!/bin/bash
#linux/UNIX
SERVERS="your_fortigate_ip_address"
# SSH User name
USR="your_fortigate_username"
PWD="your_fortigate_password"

timestamp=$(date +"%y-%m-%d")

# connect each host
for host in $SERVERS
do
sshpass -p $PWD scp -oStrictHostKeyChecking=no $USR@$host:sys_config /home/backup-fortigate-config/"$timestamp"_"$host".conf
done
echo 'Backup Completed!'
exit


make sure you have config crontab for this script to backup in schedule, like every 2 days or 1 week...
#18
teamradon
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/08/31 20:13:39
  • Status: offline
Re: Automated Full-config backups 2017/05/01 12:18:07 (permalink)
0
As a note to those thinking of using SCP and a read-only user.  
 
I had this working and then when the time came to restore, the restore went fine except I could not login with an admin account!
If the SCP backup is taken with a read-only account, it does not get the config for your super user account(s). Yes I double checked that my read-only account has access to EVERYTHING. I did call support and they confirmed. I personally feel this is a huge flaw but.......
I have confirmed that if I connect and take the backup using SCP and using credentials for a super user that all user information is included. 
Thankfully I had a full backup that existed for this router and I was able to copy the necessary user info to the backup file and then restore.
#19
sanderl
Bronze Member
  • Total Posts : 22
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/11/13 10:25:54
  • Status: offline
Re: Automated Full-config backups 2018/03/13 08:25:23 (permalink)
0
adikad
with new FortiOS5.4 you can now have a scheduled auto config backup !
config system auto-script
edit "backup"
set interval (secs)
set repeat ()
set start auto
set script "execute backup config tftp config.txt x.x.x.x"
next
end 
cheers
ã


 
Any hint or tip to make the filename in the above (set script "execute backup config tftp config.txt x.x.x.x") variably? Now all works fine but the file config.txt is overwritten everytime. Would like to add date and time to the filename and keep all files.
#20
Page: 12 > Showing page 1 of 2
Jump to:
© 2018 APG vNext Commercial Version 5.5