Backup your fortigate

-


         It is critical to take backup when it comes to upgrading or before making any configuration changes. 

You should take the following backup:

  • Configuration file
  • Local certificates

Why I should take Certificate backup?

Because Unique SSL inspection CA and server certificates that are generated by your FortiGate by default are not saved in a system backup.


Where I can save the backup?

local PC, USB key, FTP, and TFTP server


What if I have VDOM?

If you have VDOMs, you can back up the configuration of the entire FortiGate or only a specific VDOM


How to Backup?

  • Click on the user name in the upper right-hand corner of the screen and select Configuration > Backup.
  • Direct the backup to your Local PC or to a USB Disk.
    The USB Disk option will not be available if no USB drive is  
    inserted in the USB port.

  • If VDOMs are enabled, you can collect specific VDOM backup or the entire configuration
  • Encryption. Encryption must be enabled on the backup file to back up VPN certificates
  • Enter a password, and enter it again to confirm it. This password will be required to restore the configuration 
  • Once click on Ok, it prompted you to select a location on the PC or USB disk to save the configuration file.


Backup options:

flash                 Backup config file to flash.
ftp                   Backup config file to ftp server.
management-station    Backup config file to management station.
tftp                  Backup config file to TFTP server.
usb                   Backup config file to USB disk.
usb-mode              Backup config file for USB mode


To collect VDOM backup:


config vdom

edit <vdom_name>


Note: Command would be the same



How to send backup to Forticloud or Fortimanger:

Command:

execute backup config management-station <comment>

You may get like below errors:

FGT# exe backup config management-station new_bac
configuration backup to Management Station is only available in backup management mode. <---
Command fail. Return code -651

This error comes into the picture if central management has not been configured.

Configure fortiguard or fortmanger in cernterl mangement 


FGT# sh sys central-management 
config system central-management
    set mode backup
    set type fortiguard <---Specify the backup type

(Type can be: 
1>fortimanager-->FortiManager.
2>fortiguard      Central management of this FortiGate using FortiCloud)

You could get the below error if service is unregistered or expired

FGT# exe backup config management-station new_bac
Management Service is unregistered/expired. <----
Command fail. Return code -651

USB backup:

FGT# exe backup config usb back admin 
No usb disk plugged-in
Command fail. Return code -160

You can check USB status with the below command:

FortiGate-VM64-KVM # get hardware status 
Model name: FortiGate-VM64-KVM
ASIC version: not available
CPU: QEMU Virtual CPU version 1.0
Number of CPUs: 1
RAM: 1000 MB
Compact Flash: 2056 MB /dev/vda
Hard disk: not available
USB Flash: not available 

FTP:


execute backup config ftp <backup_filename> <ftp_server> [<port>] [<user_name>] [<password>]


TFTP:


execute backup config tftp <backup_filename> <tftp_servers> <password>


SCEP:


=>Enable SCP in global:


     # config system global

        set admin-scp enable

       end


=>SCP uses SSH protocol to provide secure file transfer. The

interface you use for administration must allow SSH access


=>Confirm FortiGate SSH Port.


The default port of ssh is 22.


If you are using a different SSH Port, you can add "-P <SSH_Port>" to the

SCP commands.


# show full-configuration | grep admin-ssh-port


How to collect backup


Linux:


scp admin@<FortiGate_IP>:sys_config <location>


Windows:


pscp admin@<FortiGate_IP>:sys_config <location>







Comments

Post a Comment

Popular posts from this blog

IPsec Main and Quick Mode packet flow (Decrypted)

-
Image
Main Mode 1st Message: Generation of the initiator cookie — An 8-byte pseudo-random number used for anticlogging CKY-I = md5{(src_ip, dest_ip), random number, time, and date} Generation of the responder cookie — An 8-byte pseudo-random number used for anticlogging CKY-R = md5{(src_ip, dest_ip), random number, time, and date} Main Mode 2nd Message: Before 3rd and 4th message: Public key: Xa ,Xb Nonce = Ni, Nr How public key is created? DH public value = Xa  Xa = g^a mod p g is the generator  p is a large prime number  a is a private secret known only to the initiator Main Mode 3rd message: Key exchange Public key NAT-D Main Mode 4th Message: Key exchange Public key NAT-D NAT-D Before 5th and 6th message: Initiator secret = (Xb)a mod p = (Xa)b mod p = responder secret  This value is the shared secret between the two parties and is also equal to g^ab PRF => Pseudo random function based on negotiated hash SKEYID's = PRF [ Pre-shared key , Ni ,Nr ]    SKEYID...
Read more

How NAT-Traversal works in IPsec

-
Image
In first two packet, it will negotiate NAT-T compatibility  1st Message in Main mode: 2nd Message in main mode: In 3rd and 4th Message, it will exchange hash of IP address and Port. 3rd Message main mode: 4th Message in main mode Debug on FGT: ike 0: comes 10.1.1.20:500->10.1.1.10:500,ifindex=4.... ike 0: IKEv1 exchange=Identity Protection id=987e2067d9c61bc0/3954de8f43e2c2c0 len=348 ike 0: in 987E2067D9C61BC03954DE8F43E2C2C004100200000000000000015C0A000104CD2F264257D538BA3EC01D4446EB541E8923 ike 0:VPN:14: responder:main mode get 2nd message... ike 0:VPN:14: received NAT-D payload type 20    ike 0:VPN:14: received NAT-D payload type 20 ike 0:VPN:14: NAT not detected   <<-----------------------       If hash matches, there is no NAT device in between and It continue to use same port 500 for remaining communication If there is NAT device in between both peer:==> 3rd message in main mode: 4th message in main mode: ike 0:VPN:3: ...
Read more