How-to: Automate FortiGate configuration backups

The FortiGates don't have any backup automation abilities out of the box. Generally you'd use a FortiManager for the config, backup and control of multiple FortiGates.

I've recently setup a lab with several FortiGates for testing and wanted a simple way of backing up the configs every day so I could always revert back to a previous day quickly.

You could just backup the config before making changes, but I wanted to automate this process. Below is a quick and dirty script to automate the config backup.

A few notes to begin with; this script requires a read only user to be created on each FortiGate that have the same password. These passwords are stored in the script itself; so while it never gets transmitted in cleartext over the link, be aware that it is stored in the file. Since this is a lab and it's a readonly account I'm not too fussed. Another thing to note is that the strict host check for the SSH keys has been disabled (so you don't get a confirmation request for new IP addresses). There is a more secure way to do this without using passwords but ssh keys which I may create a blog on at a latter date.

The only dependency is that the script requires sshpass to be installed.

My guide goes through setting this all up on a Debian based Linux system (like Mint or Ubuntu). It should be fine to work on other distributions with few command changes.

Steps involved:

1. Install sshpass
2. Enable SCP and SSH on FortiGates
3. Create a read only profile
4. Create a read only user
5. Create script and edit the code
6. Make script executable
7. Test the script
8. Configure crond to automatically run the script

1. Install sshpass

From your linux terminal type the following to install sshpass:

sudo apt-get install -y sshpass

2. Enable SCP and SSH on the FortiGate

For this example we'll configure port6 with SSH. Login to the CLI of your FortiGate and config the following:

config system interface
edit port6
set allowaccess ssh

Then type the below to enable SCP:

config system global
set admin-scp enable

3. Create a read only profile

In the webgui goto System > Admin > Admin Profiles and click 'Create New'.

Give your profile a name and select the 'Read Only' tick-box to ensure all access control options change to read only. Click 'Ok' to save.

4. Create a read only user

Goto System > Admin > Administrators and click 'Create New'.

Type in the users login name, give a password and select the read-only profile we created in step 3. Click 'Ok' to save.

5. Create script and edit the code

Copy the script below in a text editor and then change the following settings:

a) SERVERS: Replace the IP addresses here with the IP addresses (and/or hostnames) of the FortiGate units you want to connect to (and that you've enabled SSH/SCP for). Separate server addresses with a space.
b) USR: Replace with your read-only username we created in step 4.
c) PWD: Replace with your read-only password we created in step 4.
d) This is the directory that the file will be saved in. Ensure that this directory exists and the user that runs the script has write access to it.

The full script is below:

# SSH User name

timestamp=$(date +"%y-%m-%d")

# connect each host
for host in $SERVERS
sshpass -p $PWD scp -oStrictHostKeyChecking=no $USR@$host:sys_config /home/user/backup/"$timestamp"_"$host".conf
echo 'Backup Completed!'

Once this is done save the file with the .sh extension (for this exmple I use

6. Make script executable

To be able to run the script you'll need to make it executable.

chmod u+x

7. Test the script

Now the fun part, to test the script! Goto the directory that the script is located in an run it with the following ./ After a while you should get the 'Backup completed!' message. If you do an ls you should now see the configs. The naming scheme is the date followed by the IP or domain name of the firewall.

allan@amouawad-mint ~/backup $ ./ 
Backup completed!
allan@amouawad-mint ~/backup $ ls
14-01-10_172.16.100.91.conf  14-01-10_192.168.200.99.conf

8. Configure crond to automatically run the script

Now this is done and confirmed working, we want to get the script to run on a schedule. For this we need to configure cron with the following command: crontab -e.

If you're unsure howto use cron I'd suggest you search for a few examples. The key here is to add a line at the end of the file that will determine the frequency that you wish the script to run, and the scripts name/location.

For example I've used the following:

0 1 * * * /home/user/backup/

This will run the script located in /home/user/backup/ once everyday at 1am.

Save the file and you should be done!