Fortigate Config Backup and Recovery

Once you configure the FortiGate unit and it is working correctly, it is extremely important that you backup the configuration. In some cases, you may need to reset the FortiGate unit to factory defaults or perform a TFTP upload of the firmware, which will erase the existing configuration. In these instances, the configuration on the device will have to be recreated, unless a backup can be used to restore it. You should also backup the local certificates, as the unique SSL inspection CA and server certificates that are generated by your FortiGate by default are not saved in a system backup.

It is also recommended that once any further changes are made that you backup the configuration immediately, to ensure you have the most current configuration available. Also, ensure you backup the configuration before upgrading the FortiGate unit’s firmware. Should anything happen during the upgrade that changes the configuration, you can easily restore the saved configuration.

Always backup the configuration and store it on the management computer or off-site. You have the option to save the configuration file to various locations including the local PC, USB key, FTP and TFTP site.The latter two are configurable through the CLI only.1)

A dedicated backup admin account should be used to perform backups via CLI. The script used to backup the firewall's config uses this account's credentials.

The backup admin account should only be allowed to login from the computer that the backup script is running on. The IP address of the computer running the script must be added to the list of Trusted Hosts for the firewall's BackupAdmin account. Remove any unused IPs from the list of Trusted Hosts as well.

To configure the backup admin account from the web GUI, go to System → Administrators. Edit (or create) the backup admin account with the following settings.

  • User name: BackupAdmin
  • Type: Local User
  • Administrator profile: prof_admin (read only access)
  • Restrict login to trusted hosts: Enabled
  • Trusted host 1: <IP address of the computer the backup script is running on>

Powershell, part of the Cyrus Backup Solution, in conjunction with Posh-SSH and Solarwinds TFTP Server, is used to automate the Fortigate config backup process.

The script first starts the Solarwinds TFTP server service (if using Solarwinds) and enables the “TFTP” firewall rule. Then, it uses Posh-SSH to SSH into the firewall and backs up the config to the local computer. Next, it stops the TFTP service and disables the firewall rule. Finally, it moves the config file from the root of the TFTP server to the backup directory on the NAS server.

If there are errors, the script emails the log file to Spiceworks, creating a ticket.

The steps below should be done on the computer and user account from which the script will be run.

  1. Run New-SecurePassFile.ps1 manually to save the Fortigate BackupAdmin password.
  2. Add Get-SecurePassword.ps1 and StartStop-SolarwindsTftpServer.ps1 to the same directory as the backup script is in, or change the paths to these files inside of the script.
  3. Modify the script to match the current setup:
    1. Change the $PwdFile variable in the script to the new secure password file.
    2. Set the IP address(es) listed in the $ipAddresses array to the IP of the firewall(s) being backed up (on whichever VLAN the computer is on).
    3. Change the $tftpServerIP variable to your computer's IP.
  4. In the firewall, set the Backup Admin's Trusted Host to the IP of the computer running the script.
  5. Run the script. A new config file should now be in the firewall's backup directory on the NAS server.
  6. If successful, create a Task Scheduler task to run the powershell script daily. powershell C:\path\to\Backup-FirewallConfig.ps1

This script is called from Cyrus-Backup-Client.ps1 as part of the Client aspect of Cyrus Backup Solution.


The firewall can also be backed up from the web GUI manually if needed.

  1. Go to System > Dashboard > Status.
  2. On the System Information widget, select Backup for the System Configuration.
  3. Select to backup to your Local PC.
    1. If VDOMs are enabled, select to backup the entire FortiGate configuration (Full Config) or only a specific VDOM configuration (VDOM Config).
    2. If backing up a VDOM configuration, select the VDOM name from the list.
  4. Select Encrypt configuration file.
  5. Enter a password and enter it again to confirm it. You will need this password to restore the file. Make sure to put this password into a new Passpack entry.
  6. Select Backup.
  7. The web browser will prompt you for a location to save the configuration file. The configuration file will have a .conf extension. Save it to the Fortigate backup network share, \\nas1\NASShare\dr\fortigate

Should you need to restore a configuration file, use the following steps:

  1. Go to System > Dashboard > Status.
  2. On the System Information widget, select Restore for the System Configuration.
  3. Select to upload the configuration file to be restored from your Local PC.
  4. Enter the path and file name of the configuration file, or select Browse to locate the file.
  5. Enter the encryption password.
  6. Select Restore.

There may be a point where need to reset the FortiGate unit to its original defaults; for example, to begin with a fresh configuration. There are two options when restoring factory defaults. The first resets the entire device to the original out-of-the-box configuration:

To reset using the cli, enter the command:

execute factoryreset

When prompted, enter y to confirm the reset.

Alternatively, in the CLI you can reset the factory defaults but retain the interface and VDOM configuration.

Use the command:

execute factoryreset2

  • dr/fortigate_backup_recovery.txt
  • Last modified: 2019/03/15 16:37
  • by ericclaus