Thursday, June 10, 2010

Fortigate SCP backup

Here is a small guide to backup Fortigate config with SCP

Using the Web-based manager:
Go to System > Admin > Settings.
Make sure SCP is enabled

Go to System > Network > Interface.
Select the Edit icon for the interface you use for administrative access.
In the Administrative Access section, select the SSH check box.
Click OK.

Create a public-private key pair using a key generator tool compatible with your SCP client.
root@linux:~# ssh-keygen -t rsa -b 2048 -f /tmp/fw-001
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): ENTER
Enter same passphrase again: ENTER
Your identification has been saved in /tmp/fw-001.
Your public key has been saved in /tmp/fw-001.pub.

Save the private key to the location on your computer where your SSH private keys are stored.
root@linux:~# mv /tmp/fw-001.pub /etc/
root@linux:~# mv /tmp/fw-001 /etc/fw-001.sec

Connect to the fortigate using SSH.
root@linux:~# ssh admin@x.x.x.x

config system admin
edit admin
set ssh-public-key1 "[paste content from /etc/fw-001.pub]"
end

And you are done! :)

To trigger the copy, run the following command from bash.
root@linux:~# scp -i /etc/fw-001.sec admin@x.x.x.x:sys_config /backup/fw-001.fg.bin

Tip:
You can also set up CVS to get config revisions.

15 comments:

  1. sorry for reviving such an old post but I'm facing a problem with your recipe
    :)

    have you tried this method with VDOMs?

    I'm getting only part of config, not full and I think it can be related to VDOMs.

    thanks in advance,

    mussol

    ReplyDelete
    Replies
    1. Hello Mussol :)

      Thank you for notifying me of this! I can see that I have the same problem, and I was not aware of it. It seems to have started when we updated to firmware version 5.0 patch 9. This was not an issue in 5.0.7 (I am not sure about 5.0.8). I will contact Fortinet about this and update in the comments with their reply. It might take a few days.

      Delete
    2. Hello Mussol :)

      Fortinet confirms the bug.
      bug #0250120-B589: SCP configuration backup with RSA key authentication retrieve only the root VDOM configuration

      If you contact them, you will get a interim build, but it will be fixed in version 5.0.10. It is scheduled for release in two weeks.

      Regards,
      Neero

      Delete
  2. thx for this info.

    I'll wait for next release and I'll keep you in touch about the results.

    ReplyDelete
  3. We're running v5.2.4 and we're still only getting the root VDOM with the scp. Any suggestions? I'm looking for an alternative to RANCID, since there seems to be something funny going on that the 'show full-configuration' obtained by RANCID does not include all VDOM interfaces.

    ReplyDelete
    Replies
    1. To answer my own question, in case anybody needs this in the future, use 'fgt-config' instead of 'sys_config' and you get all config incl VDOM config.

      Delete
    2. Hello Costyn :)

      I do not have any Fortigates on 5.2.4 with vdoms, but I have one on 5.2.5, and I do not see the problem there. Do you know the difference between fgt-config and sys_config? I find it weird they have two files with the same information.

      I have another article about Rancid and Fortigate that explains why I am not using Rancid for these devices :)

      http://blog.neero.net/2015/07/rancid-and-fortigate-not-straight.html

      Delete
    3. Hello Neero,

      I'm not sure why there are 2 different configs available. This thread elaborates on it, and is where I found that fgt-config is also available: https://forum.fortinet.com/tm.aspx?m=114055 Thanks for the link to your FG/Rancid article. I will try to integrate the scp method into fnrancid, but it's likely not easy.

      I will post if I have any working code.

      Delete
    4. Hi Costyn :)

      I just registered a case with Fortinet asking about the two files, will inform you of their answer.

      I would very much like to know if you figure out how to get it to work with fnrancid. Right now I am using very custom scripts to run the backup and checking if the backup is successful, and they are not 100% trustworthy :)

      Delete
    5. Hello again!

      Here is the reply from Fortinet:
      No difference. Same thing. If I remember correctly, in the old versions only sys_config was working but now both gives the same results. I'd use the fgt-config because that's pretty sure is which one will stay for longer periods but I don't think the other one will be removed anytime. :)
      --------------

      If you look at earlier comments in this article, you will see that Fortinet previously had a bug with vdom and SCP backup with the sys_config file, maybe they reimplemented it in 5.2.4 :)

      Delete
    6. I don't know why they say it's the same when it's not. For my FG devices I get very different outputs. Especially with VDOM enabled FGs. I have a working script which will parse .cloginrc, retrieve the password and then scp the file to the local machine. I haven't yet integrated it into RANCID as of yet, although the config looks simple (I had someone else's code to work from thankfully). I will post when I have it complete.

      Delete
    7. Hi :)

      I just did a diff on fgt-config and sys_config, but did not see any differences. Tried both a fortigate with vdoms, and one without. This with 5.2.6 firmware.

      Delete
  4. This comment has been removed by the author.

    ReplyDelete
  5. I have managed to get rancid working with fortinet using scp and published my script here: https://github.com/schweikert/fnrancid-scp

    ReplyDelete
    Replies
    1. Awesome! Thanks for this! I will definitely start using it :D

      Delete