FortiOS 5.6 Online Help Link FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link
> Chapter 2 - Getting Started > Basic Administration > Configuration Backups

Home > Online Help

Configuration Backups

Once you successfully configure the FortiGate, it is extremely important that you backup the configuration. In some cases, you may need to reset the FortiGate to factory defaults or perform a TFTP upload of the firmware, which will erase the existing configuration. In these instances, the configuration on the device will have to be recreated, unless a backup can be used to restore it. You should also backup the local certificates, as the unique SSL inspection CA and server certificates that are generated by your FortiGate by default are not saved in a system backup.

It is also recommended that you backup the configuration after any future changes are made, to ensure you have the most current configuration available. Also, backup the configuration before any upgrades of the FortiGate’s firmware. Should anything happen to the configuration during the upgrade, you can easily restore the saved configuration.

Always backup the configuration and store it on the management computer or off-site. You have the option to save the configuration file to various locations including the local PC, USB key, FTP and TFTP site.The last two are configurable through the CLI only.

If you have VDOMs, you can back up the configuration of the entire FortiGate or only a specific VDOM. Note that if you are using FortiManager or FortiCloud, full backups are performed and the option to backup individual VDOMs will not appear.

Backing up the configuration using the GUI

  1. Go to the Dashboard and locate the System Information widget.
  2. Beside System Configuration, select Backup.
  3. Direct the backup to your Local PC or to a USB key.
    The USB Disk option will be grayed out if no USB drive is inserted in the USB port. You can also backup to the FortiManager using the CLI.
  4. If VDOMs are enabled, select to backup the entire FortiGate configuration (Full Config) or only a specific VDOM configuration (VDOM Config).
  5. If backing up a VDOM configuration, select the VDOM name from the list.
  6. Select Encrypt configuration file.
    Encryption must be enabled on the backup file to back up VPN certificates.
  7. Enter a password and enter it again to confirm it. You will need this password to restore the file.
  8. Select Backup.
  9. The web browser will prompt you for a location to save the configuration file. The configuration file will have a .conf extension.

Backing up the configuration using the CLI

Use the following command:

execute backup config management-station <comment>

 

… or …

execute backup config usb <backup_filename> [<backup_password>]

 

… or for FTP, note that port number, username are optional depending on the FTP site…

execute backup config ftp <backup_filename> <ftp_server> [<port>] [<user_name>] [<password>]

 

… or for TFTP …

execute backup config tftp <backup_filename> <tftp_servers> <password>

 

Use the same commands to backup a VDOM configuration by first entering the commands:

config vdom

edit <vdom_name>

Backup and restore the local certificates

This procedure exports a server (local) certificate and private key together as a password protected PKCS12 file. The export file is created through a customer-supplied TFTP server. Ensure that your TFTP server is running and accessible to the FortiGate before you enter the command.

Backing up the local certificates

Connect to the CLI and use the following command:

execute vpn certificate local export tftp <cert_name> <filename> <tftp_ip>

 

where:

  • <cert_name> is the name of the server certificate.
  • <filename> is a name for the output file.
  • <tftp_ip> is the IP address assigned to the TFTP server host interface.
Restoring the local certificates - GUI
  1. Move the output file from the TFTP server location to the management computer.
  2. Go to System > Certificates and select Import.
  3. Select the appropriate Type of certificate and fill in any required fields.
  4. Select Browse. Browse to the location on the management computer where the exported file has been saved, select the file and select Open.
  5. If required, enter the Password needed to upload the exported file.
  6. Select OK.
Restoring the local certificates - CLI

Connect to the CLI and use the following command:

execute vpn certificate local import tftp <filename> <tftp_ip>

Backup and restore a configuration file using SCP

You can use secure copy protocol (SCP) to download the configuration file from the FortiGate as an alternative method of backing up the configuration file or an individual VDOM configuration file. This is done by enabling SCP for and administrator account and enabling SSH on a port used by the SCP client application to connect to the FortiGate. SCP is enabled using the CLI commands:

config system global

set admin-scp enable

end

 

Use the same commands to backup a VDOM configuration by first entering the commands:

config global

set admin-scp enable

end

config vdom

edit <vdom_name>

Enable SSH access on the interface

SCP uses the SSH protocol to provide secure file transfer. The interface you use for administration must allow SSH access.

To enable SSH - GUI:
  1. Go to Network > Interfaces.
  2. Select the interface you use for administrative access and select Edit.
  3. In the Administrative Access section, select SSH.
  4. Select OK.
To enable SSH - CLI:

config system interface

edit <interface_name>

set allowaccess ping https ssh

end

note icon When adding to, or removing a protocol, you must type the entire list again. For example, if you have an access list of HTTPS and SSH, and you want to add PING, typing:

set allowaccess ping

...only PING will be set. In this case, you must type...

set allowaccess https ssh ping

Using the SCP client

The FortiGate downloads the configuration file as sys_conf. Use the following syntax to download the file:

Linux

scp admin@<FortiGate_IP>:fgt-config <location>

Windows

pscp admin@<FortiGate_IP>:fgt-config <location>

 

The following examples show how to download the configuration file from a FortiGate-100D, at IP address 172.20.120.171, using Linux and Windows SCP clients.

Linux client example

To download the configuration file to a local directory called ~/config, enter the following command:

scp admin@172.20.120.171:fgt-config ~/config

 

Enter the admin password when prompted.

Windows client example

To download the configuration file to a local directory called c:\config, enter the following command in a Command Prompt window:

pscp admin@172.20.120.171:fgt-config c:\config

 

Enter the admin password when prompted.

SCP public-private key authentication

SCP authenticates itself to the FortiGate in the same way as an administrator using SSH accesses the CLI. Instead of using a password, you can configure the SCP client and the FortiGate with a public-private key pair.

To configure public-private key authentication
  1. Create a public-private key pair using a key generator compatible with your SCP client.
  2. Save the private key to the location on your computer where your SSH keys are stored.
    This step depends on your SCP client. The Secure Shell key generator automatically stores the private key.
  3. Copy the public key to the FortiGate using the CLI commands:

config system admin

edit admin

set ssh-public-key1 "<key-type> <key-value>"

end

<key-type> must be the ssh-dss for a DSA key or ssh-rsa for an RSA key. For the <key-value>, copy the public key data and paste it into the CLI command.

If you are copying the key data from Windows Notepad, copy one line at a time and ensure that you paste each line of key data at the end of the previously pasted data. As well:

  • Do not copy the end-of-line characters that appear as small rectangles in Notepad.
  • Do not copy the ---- BEGIN SSH2 PUBLIC KEY ---- or Comment: “[2048-bit dsa,...]” lines.
  • Do not copy the ---- END SSH2 PUBLIC KEY ---- line.
  1. Type the closing quotation mark and press Enter.

Your SCP client can now authenticate to the FortiGate based on SSH keys rather than the administrator password.

Restoring a configuration using SCP

To restore the configuration using SCP, use the commands:

scp <local_file> <admin_user>@<FGT_IP>:fgt_restore_config

 

To use this command/method of restoring the FortiGate configuration, you need to log in as the “admin” administrator.

Restoring a configuration

Should you need to restore a configuration file, use the following steps:

To restore the FortiGate configuration - GUI
  1. Go to the Dashboard and locate the System Information widget.
  2. Beside System Configuration, select Restore.
  3. Select to upload the configuration file to be restored from your Local PC or a USB key.
    The USB Disk option will be grayed out if no USB drive is inserted in the USB port. You can restore from the FortiManager using the CLI.
  4. Enter the path and file name of the configuration file, or select Browse to locate the file.
  5. Enter a password if required.
  6. Select Restore.
To back up the FortiGate configuration - CLI

execute restore config management-station normal 0

 

… or …

execute restore config usb <filename> [<password>]

 

… or for FTP, note that port number, username are optional depending on the FTP site…

execute backup config ftp <backup_filename> <ftp_server> [<port>] [<user_name>] [<password>]

 

… or for TFTP …

execute backup config tftp <backup_filename> <tftp_server> <password>

 

The FortiGate will load the configuration file and restart. Once the restart has completed, verify that the configuration has been restored.

Configuration revision

The System Configuration > Revisions option in the System Information widget enables you to manage multiple versions of configuration files on models that have a 512 flash memory and higher. Revision control requires either a configured central management server or the local hard drive, if the model of your FortiGate has this feature. Typically, configuration backup to local drive is not available on lower-end models.

The central management server can either be a FortiManager unit or FortiCloud.

If central management is not configured on your FortiGate unit, a message appears to tell you to do one of the following:

  • enable central management
  • obtain a valid license.

When revision control is enabled on your FortiGate unit, and configurations backups have been made, a list of saved revisions of those backed-up configurations appears.

Configuration revisions are viewed in the System Information widget on the Dashboard.

Restore factory defaults

There may be a point where need to reset the FortiGate to its original defaults; for example, to begin with a fresh configuration. There are two options when restoring factory defaults. The first resets the entire device to the original out-of-the-box configuration:

To reset the FortiGate to its factory default settings - GUI
  1. Go to the Dashboard and locate the System Information widget.
  2. Beside System Configuration, select Restore.
  3. Select Restore Factory Defaults at the top of the page.
You can reset using the CLI by entering the command:

execute factoryreset

 

When prompted, type y to confirm the reset.

Alternatively, in the CLI you can reset the factory defaults but retain the interface and VDOM configuration.

Use the command:

execute factoryreset2