The configuration file for the unit that it was created, has a few key items as shown in the following image.
The unit model and software build, the admin that created the file, and configuration version #s
NOTE: All of these 1st 3 lines are crucial if you ever need to restore a backup on a another unit.
The fortigate allows for you generated a encrypted configuration file. The encryption cipher used in this configuration is unknown and not public knowledge, but you will NOT be able to review or modify the configuration of a encrypted file.
e.g encrypted configuration file content
NOTE: This is why I recommend using a local encryption utilities & if you ever need off-appliance storage of a security appliances cfg-files and if you need to securely transmit for others to review such as a "auditor" or "support" engineer. Openssl or GPG would come in handy for this.
Now moving along, the configuration can be backed up via a few simple means
1: locally to a usb drive
2: using a screen capture or buffer capture from your telnet/ssh session
3: via the execution of the backup via the WebGUI
You choice would be determine based on your policy and local environment. Example, a agency I contracted with only allowed ssh access to their fortigates, so your choices for backups was limited.
The backup configuration should always be secured regardless of what method or access you use.
The backup is always named in the following manner; <hostname>_YEAR2DIGITMONTHDATE.conf
This makes for retrieving the backup file very easy and simplified. If the 1st 3 lines of any configuration files are missing or corrupt the configuration file will be ignored and the unit will kick out a error.
Another backup that should be mention, fortinet has a "fortimanager" appliance that can perform configuration management, archive and deployment
http://www.fortinet.com/fortimanager_product_demo.html
The Web GUI backup allows you to do the following with ease;
- full system backup
- specific vdom backup
- set a encryption password
- set the backup device
The command line access also give you the same ability. Always get into the habit of regular backups and automated backups
sample bash script
#!/bin/bash
# This is a simple bash cfg grabber
#
#
if [ ! $1 ]; then
echo " Usage : getcfg.sg <username> <fortigate ip_address> <ssh port # > "
echo " "
echo " Example getcfg admin 1.1.1.1 22 "
echo " "
exit 1
fi
#
#
DATE=`date +%F%Z%T`
#
#
A=sys_config
#
PORT=$3
scp -P $3 $1@$2:$A ./$A-$2_$DATE.cfg
#
#
end
NOTE: I just recently found out that fgt-config can also be used in replaced of sys_config but not ALL fortigates are supporting this and "*sys_config" or anything with sys_config in the name
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
I always find your posts fascinating, so thanks for taking the time to upload. While you're on the topic of backups I find RANCID a useful tool. Worth a look if you've not used it before. Thanks Steve
ReplyDeleteThe "expect" scripting for me my friend, a simple script with a list of ip_address and a common user/pass for the backup is all you need.
ReplyDeleteOn rancid , it's good and been around for ages and gear'd for the cisco heads but "rconfig" is the new rancid per-se. Greater in function and wider support out of the box & so easy even a caveman can figure it out.