Just a quick note on how to automate backup of your FortiGate, FortiAnalyzer and FortiManager.
FortiManager / FortiAnalyzer
Use the following configuration
config system backup all-settings
set status enable
set protocol sftp
set server “10.200.10.50”
set user “fortibackup”
set passwd “YourPassword”
set directory “/home/fortibackup”
set week_days sunday
set time “23:00:00”
set crptpasswd “CryptoKeyForYourBackup”
A few other commands that might come in handy:
To test backup
execute backup all-settings sftp 10.200.10.50 /home/fortibackup/ fortibackup PASSWORD CRYPTOPW
Check backup status
get system backup status
FortiGate does not come with a native function to run scheduled backups, but as of version 5.4 you got Auto-script which can alleviate some of the burden.
Unfortunately this method does _not_ support sftp or scp, only tftp and ftp, so it might be worth while investigating a different backupsolution if the backup is to run over unprotected networks.
Anywho, these are the commands you need to run in order to do a full-config (all vdoms) backup of a FortiGate:
FortiGate01 (global) #
FortiGate01 (global) # config system auto-script
FortiGate01 (auto-script) # edit “AutoBackup”
FortiGate01 (AutoBackup) #
FortiGate01 (AutoBackup) # set interval 86400
FortiGate01 (AutoBackup) # set repeat 0
FortiGate01 (AutoBackup) # set script “config global
execute backup full-config ftp FortiGate01-backup 10.200.10.50 fortibackup PASSWORD CRYPTOPW”
FortiGate01 (AutoBackup) # set start auto
FortiGate01 (AutoBackup) # next
FortiGate01 (auto-script) # end
FortiGate01 (global) #
Interval is in seconds, so 86400 = 1 day
Repeat is the number of times this script is to be repeated. 0 = infinite.
Note that the set script variable is not ended on the first line and you continue to line two to execute the second command.
Yes exactly it is working but the problem as it backup it removes the previous backed up file any idea how to change that when it run it save in new file name.
If you require archiving of your old configuration I suppose a script on the server side would be one way to achieve that.
I also am interested in different file name generated from the fortigate… on an older FW (according to the guide) if the file name was left empty a backup file with the date would be generate, the option does not work with 5.4..
Any idea ? Beside versioning on the server side ?