Wednesday, October 7, 2015

Fortigate configuration files backups ( understanding )

In this post we will look a a configuration file of a typical fortigate and the many means for configuration backup. 1st the configuration is a simple  text file that can be read or edit by a reader/edit application ( Vi/Ed/Word/text-editor )

The configuration file for the unit  that it was created,  has a few key items as shown in the following image.

The unit model and software build, the admin that created the file, and configuration version #s

NOTE:  All of these 1st 3 lines are crucial if you ever need to restore a backup on a another unit.

The fortigate allows for you generated a encrypted configuration file. The encryption cipher used in this configuration is unknown and not public knowledge, but  you will NOT be able to review or modify the configuration of a encrypted file.

e.g encrypted configuration file content

NOTE: This is why I recommend using a local encryption utilities  & if you ever need off-appliance  storage of a security appliances cfg-files  and if you need to securely transmit for others to review such as a "auditor" or "support" engineer. Openssl or GPG would come in handy for this.

Now moving along, the configuration can be backed up via a few simple means

    1: locally to a usb drive
    2:  using a screen capture or buffer capture from your telnet/ssh session
    3: via the execution of the backup via the WebGUI

You choice would  be determine based on your policy and local environment. Example, a agency I contracted with only allowed ssh access to their fortigates, so  your choices for backups was limited.

The backup configuration should always be secured regardless of what  method or access you use.

The backup is always named in  the following manner; <hostname>_YEAR2DIGITMONTHDATE.conf

This makes for  retrieving the backup file very easy and simplified. If the 1st 3 lines of any configuration files are missing or corrupt the  configuration file will be ignored and the unit will kick out a error.

Another backup that should be mention, fortinet has a "fortimanager" appliance that can perform configuration management, archive and deployment

The Web GUI backup allows you  to do the following with ease;

  •   full system backup
  •   specific vdom backup
  •   set a encryption password
  •   set the backup device

The command line access also give you the same ability. Always get into  the habit of regular backups and automated backups

sample bash script

# This is a simple bash cfg grabber
if [ ! $1 ]; then
echo " Usage : <username> <fortigate ip_address> <ssh port # > "
echo " "
echo " Example getcfg admin 22 "
echo " "

exit 1

DATE=`date +%F%Z%T`
scp -P $3 $1@$2:$A ./$A-$2_$DATE.cfg

 NOTE: I just recently found out that fgt-config  can also be used in replaced of sys_config but not ALL  fortigates are supporting this and  "*sys_config" or anything with sys_config in the name

Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
        /  \


  1. I always find your posts fascinating, so thanks for taking the time to upload. While you're on the topic of backups I find RANCID a useful tool. Worth a look if you've not used it before. Thanks Steve

  2. The "expect" scripting for me my friend, a simple script with a list of ip_address and a common user/pass for the backup is all you need.

    On rancid , it's good and been around for ages and gear'd for the cisco heads but "rconfig" is the new rancid per-se. Greater in function and wider support out of the box & so easy even a caveman can figure it out.