Backups
System > Maintenance > Backup & Restore enables you to:
• create backup files of the system configuration and web protection profiles
Once you have tested your basic installation and verified that it functions correctly, create a backup. This “clean” backup can be used to:
• troubleshoot a non-functional configuration by comparing it with this functional baseline (via a tool such as
diff)
• batch-configure FortiWeb appliances by editing the file in a plain text editor, then uploading the finalized configuration to multiple appliances (see
“Restoring a previous configuration”)
After you have a working deployment, back up the configuration again after any changes. This ensures that you can rapidly restore your configuration exactly to its previous state if a change does not work as planned.
Your deployment’s configuration is comprised of a few separate components. To make a complete configuration backup, you must include the:
• Core configuration file
• Certificates, private keys, and custom error pages
• Vulnerability scan settings
• Web protection profiles
• Web server configuration files (see the documentation for your web servers’ operating systems or your preferred third-party backup software)
There are multiple methods that you can use to create a FortiWeb configuration backup. Use whichever one suits your needs:
To back up the configuration via the web UI
1. Log in to the web UI as the admin administrator.
Other administrator accounts do not have the required permissions.
2. Go to System > Maintenance > Backup & Restore.
The top of the page displays the date and time of the last backup. (No date and time is displayed if the configuration was never backed up, or you restored the firmware.)
To access this part of the web UI, your administrator's account access profile must have
Read and
Write permission to items in the
Maintenance category. For details, see
“Permissions”.
3. Under Backup/Restore, select Backup.
4. Select either:
• Backup entire configuration — Creates a full backup of the configuration that includes both the configuration file (a CLI script) and other uploaded files, such as private keys, certificates, and error pages.
• Backup CLI configuration — Backs up the core configuration file only (a CLI script) and excludes any other uploaded files and vulnerability scan settings.
• Backup Web Protection Profile related configuration — Backs up the web protection profiles only.
5. If you would like to password-encrypt the backup files using 128-bit AES before downloading them, enable Encryption and type a password in Password.
6. Click Backup.
If your browser prompts you, navigate to the folder where you want to save the configuration file. Click Save.
Your browser downloads the configuration file. The download time varies by the size of the configuration and the specifications of the appliance’s hardware as well as the speed of your network connection. It can take several minutes.
To back up the configuration via the web UI to an FTP/SFTP server
| Fortinet strongly recommends that you password-encrypt this backup, and store it in a secure location. This method includes sensitive data such as your HTTPS certificates’ private keys. Unauthorized access to private keys compromises the security of all HTTPS requests using those certificates. |
1. Go to System > Maintenance > FTP Backup.
To access this part of the web UI, your administrator's account access profile must have
Read and
Write permission to items in the
Maintenance category. For details, see
“Permissions”.
2. Click Create New.
A dialog appears.
3. In Name, type a name that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters.
4. Configure these settings:
Setting name | Description |
FTP Protocol | Select whether to connect to the server using FTP or SFTP. |
FTP Server | Type either the IP address or fully qualified domain name (FQDN) of the server. The maximum length is 127 characters. |
FTP Directory | Type the directory path on the server where you want to store the backup file. The maximum length is 127 characters. |
FTP Authentication | Enable if the server requires that you provide a user name and password for authentication, rather than allowing anonymous connections. |
FTP User | Type the user name that the FortiWeb appliance will use to authenticate with the server. The maximum length is 127 characters. This field appears only if you enable FTP Authentication. |
FTP Password | Type the password corresponding to the user account on the server. The maximum length is 127 characters. This field appears only if you enable FTP Authentication. |
Backup Type | Select either: • Full Config — A full configuration backup that includes both the configuration file and other uploaded files, such as private keys, certificates, and error pages.
Note: You cannot restore a full configuration backup made via FTP/SFTP by using the web UI. Instead, use the execute restore command in the CLI. • CLI Config — Only includes the core configuration file. • WAF Config — Only includes the web protection profiles. |
Encryption | Enable to encrypt the backup file using 128-bit AES and a password. |
Encryption Password | Type the password that will be used to encrypt the backup file. This field appears only if you enable Encryption. |
Schedule Type | Select either: • Now — Initiate the backup immediately. • Daily — Schedule a recurring backup for a specific day and time of the week. |
Days | Select the specific days when you want the backup to occur. This field is visible only if you set Schedule Type to Daily. |
Time | Select the specific hour and minute of the day when you want the backup to occur. This field is visible only if you set Schedule Type to Daily. |
5. Click OK.
If you selected an immediate backup, the appliance connects to the server and uploads the backup.
To back up the configuration via the CLI to a TFTP server
| Fortinet strongly recommends that you password-encrypt this backup, and store it in a secure location. This method includes sensitive data such as your HTTPS certificates’ private keys. |
1. If necessary, start your TFTP server. (If you do not have one, you can temporarily install and run one such as
tftpd (
Windows,
Mac OS X, or
Linux) on your management computer.)
| Because TFTP is not secure, and because it does not support authentication and could allow anyone to have read and write access, you should only run it on trusted administrator-only networks, never on computers directly connected to the Internet. If possible, immediately turn off tftpd off when you are done. |
2. Log in to the CLI as the admin administrator using either the local console, the CLI Console widget in the web UI, or an SSH or Telnet connection.
Other administrator accounts do not have the required permissions.
3. Enter the following command:
execute backup full-config tftp <file-name_str> <server_ipv4> [<backup-password_str>]
where:
Variable | Description |
<file-name_str> | Type the file name of the backup. |
<server_ipv4> | Type either the IP address of the server. Note: Domain names are currently not valid input with this command if you choose the FTP protocol. |
[<backup-password_str>] | Optional. Type the password that will be used to encrypt the backup file. Caution: Do not lose this password. You will need to enter this same password when restoring the backup file in order for the appliance to successfully decrypt the file. If you cannot remember the password, the backup cannot be used. |
For example, the following command backs up a FortiWeb-3000C’s configuration file to a file named FortiWeb-3000C.conf in the current directory on the TFTP server 172.16.1.10, encrypting the backup file using the salt string P@ssw0rd1:
FortiWeb-3000C # exec backup full-config FortiWeb-3000c.conf tftp 172.16.1.10 P@ssw0rd1
Time required varies by the size of the database and the specifications of the appliance’s hardware, but could take several minutes.