Thanks! Likely, I would make a read-only account for this and allow as little as possible. I will also see about using the SCP option or a secured FTP option rather than TFTP, but this is helpful.

TechnoR05 wrote:

Hello,

 

We use putty run from the tftp server.

It's not the best security, also it is TFTP and all plain-text, but we have a task scheduled that does a backup every day of each vdom and also a full backup.

It's something like this :

the task runs a .bat file calling putty and login info :

C:\Putty.exe -ssh <Fortigate IP> -l <UserLoginName> -pw <UserPassword> -m C:\BackupGlobal.txt

And the txt files are similar to :

config global exe backup config tftp <Filename> <ServerIP> end exit

- -

Does what we need, you could probably build from there.

 

Regards

Here's an alternate option for you...  

I have a number of clients with Fortigate firewalls and needed an easy way for them to all be automatically backed up on a weekly basis.  I wrote an AutoIT script (www.autoitscript.com) that, if you have any form of coding experience, you can alter and compile to an executable for your own needs.  It does require a few minor prerequisites to get going, but runs very well for me.  It utilises plink.exe (part of the PuTTY suite as someone mentioned above) to obtain the config (it will automatically download plink.exe if it doesn't exist)

Basically it works like this:

1. I setup an FTP server at my own premises and then configured a VIP/policy on my own Fortigate firewall, restricting FTP inbound from the public IP address of my clients Fortigate's only.

2. At each clients site, I copied the compiled ftpconf.exe to one of their local servers (generally their domain controller) saving it under C:\Backup then created a scheduled task in Windows to run it every Friday night around 10 pm (make sure you choose to run even if the user isn't logged in)

3. I then created an "ftpconf" account on the clients Fortigate with the same password, but restrict logons to that account from the IP address of the server that ftpconf.exe runs from.  That user is also a member of a new "ReadOnly" Admin Profile you will need to create, which has read only permissions for all Access Controls EXCEPT for 'Maintenance' where it requires read/write (for some reason, it wouldn't backup the entire config without this as read/write - possibly a bug?) Also ensure SSH is open on the internal (LAN side) interface.

4. I then created an FTP account on my own FTP server which is inside the compiled ftpconf script (yes I'm aware that AutoIT executables can be reverse compiled, but there is enough security above for me not to worry about it)

You can download the sample script from here:

http://www.chimera.co.nz/fortigate/ftpconf.au3

You need to change the following lines at the top of the code to reflect your setup.  

; Fortigate variables Global Const $FortigateUSER = "ftpconf" Global Const $FortigatePASS = "ftpconf"

; FTP variables Global Const $FTPPATH = "/fwconfigs/" Global Const $FTPSERVER = "ftp.myserver.co.nz" Global Const $FTPUSER = "ftpuser" Global Const $FTPPASS = "ftppassword"

So for example, using the above constants as an example, it will locally connect to their own Fortigate using the default IP address of the machine the executable is run from (or you can override this passing the IP of the Fortigate as a parameter to ftpconf.exe, eg: ftpconf 192.168.1.254) and logging on with the username 'ftpconf' and password 'ftpconf'. It then FTP's its configuration to ftp.myserver.co.nz/fwconfigs/DOMAIN (where 'DOMAIN' is the Active Directory domain name or the PC name if in a workgroup) using 'ftpuser' as username and 'ftppassword' as the password (change to suit your needs)  The FTP path also needs to exist on the FTP server first (so for example, manually create /fwconfigs/DOMAIN)  It will create a backup file of the config in a format that includes the date that ftpconf.exe was run (so you can have multiple revisions of the config for audit purposes)

It will log all output (to the same folder that ftpconf.exe is in) to a file 'ftpconf.log' - for example, looks like this:

01/22/2016 10:00:00 - BEGIN SCRIPT Scanning Registry for Gateway IP address Connecting to Gateway IP Address 192.168.x.x === SUCCESS ===

exec backup config ftp /fwconfigs/JAMES/fwbackup-SERVER-2016-01-22.conf ftp.myserver.co.nz username_hidden password_hidden Please wait... Please wait...

Connect to ftp server ftp.myserver.co.nz ... Send config file to ftp server OK. Setting timestamp FORTIGATE $ ***************************************************************************************** 01/29/2016 10:00:08 - BEGIN SCRIPT Scanning Registry for Gateway IP address Connecting to Gateway IP Address 192.168.x.x === FAILED ===

Connection Timed Out

(the latter output shown above is because I'd accidentally disabled ssh on the internal LAN interface!)

I've added plenty of error handling in to it, let me know if there are any issues though.  I will point out that I did take the "ReadData" function code from another poster on the AutoIT web site, so can't take credit for that part :)

Hope this helps.

Hello,

i recently set up a centralized configuration management server that handles our periodic full-config backups (of Fortigate, Cisco etc.). I chose rConfig. It needs to run on a dedicated CentOS Server (i chose a small VM for that), and it takes about 1-2h hours to prep everything, but once you've got everything running it's great, because rConfig also offers integrated config DIFF, so you can easily check for changes and generate reports or check them against rules.

Might be a bit overkill for your current task, but if you have more than one device, you might want to give it a try (it's free). If you do so, please note, that in the current build you need to apply a workaround to get it to work with fortios: when adding a device, insert \s into the 'Prompt' Field, for every whitespace in your ssh-shell prompt. Check the rConfig forum, theres more info on that.

tl;dr I use rConfig on a dedicated server, works great and supports config diff and other vendors as well.

Hello 

The auto-script from adikad works nicely in my enviroment. But when I try to upload the data via TFTP into a specific foldes it stops working. For example:

execute backup config tftp config.txt 192.168.0.1/backup

It does not work and gives me an error message "unknown host". But when I use another computer and transfer data via TFTP it does work. Is there a workaround on the Fortigate side?

I know that in the CLI handbook only an IP is mentioned and not another directory.

Marcus

Exactly. Try without folder name. This is Tftp, T=trivial.

I have recently changed to a Fortinet router from another manufacturer and at the moment I am in the process of copying the functionality from the old one into the new one. With the old one it did work. As I am not so deep into tftp I do not see the problem why it should not work in general. It might be that the FortiOS does not have this functionality. 

Another solution would be to change the settings in the tftp server, but this involves more than just the single change...

Marcus