Fortinet white logo
Fortinet white logo

Cookbook

Configuration backups

Configuration backups

Once you successfully configure the FortiGate, it is extremely important that you backup the configuration. In some cases, you may need to reset the FortiGate to factory defaults or perform a TFTP upload of the firmware, which will erase the existing configuration. In these instances, the configuration on the device will have to be recreated, unless a backup can be used to restore it. You should also backup the local certificates, as the unique SSL inspection CA and server certificates that are generated by your FortiGate by default are not saved in a system backup.

We also recommend that you backup the configuration after any changes are made, to ensure you have the most current configuration available. Also, backup the configuration before any upgrades of the FortiGate’s firmware. Should anything happen to the configuration during the upgrade, you can easily restore the saved configuration.

Always backup the configuration and store it on the management computer or off-site. You have the option to save the configuration file to various locations including the local PC, USB key, FTP, and TFTP server. The last two are configurable through the CLI only.

If you have VDOMs, you can back up the configuration of the entire FortiGate or only a specific VDOM. Note that if you are using FortiManager or FortiGate Cloud, full backups are performed and the option to backup individual VDOMs will not appear.

Note

You can also backup and restore your configuration using Secure File Copy (SCP). See How to download/upload a FortiGate configuration file using secure file copy (SCP).

You enable SCP support using the following command:

config system global

set admin-scp enable

end

For more information about this command and about SCP support, see config system global.

Backing up the configuration

To backup the configuration using the GUI:
  1. Click on the user name in the upper right-hand corner of the screen and select Configuration > Backup.
  2. Direct the backup to your Local PC or to a USB Disk.

    The USB Disk option will not be available if no USB drive is inserted in the USB port. You can also backup to the FortiManager using the CLI.

  3. If VDOMs are enabled, indicate whether the scope of the backup is the entire FortiGate configuration (Global) or only a specific VDOM configuration (VDOM).

    If backing up a VDOM configuration, select the VDOM name from the list.

  4. Enable Encryption. Encryption must be enabled on the backup file to back up VPN certificates.
  5. Enter a password, and enter it again to confirm it. This password will be required to restore the configuration.
  6. Click OK.
  7. When prompted, select a location on the PC or USB disk to save the configuration file. The configuration file will have a .conf extension.
To backup the configuration using the CLI:

Use one of the following commands:

execute backup config management-station <comment>

or:

execute backup config usb <backup_filename> [<backup_password>]

or for FTP, note that port number, username are optional depending on the FTP site:

execute backup config ftp <backup_filename> <ftp_server> [<port>] [<user_name>] [<password>]

or for TFTP:

execute backup config tftp <backup_filename> <tftp_servers> <password>

Use the same commands to backup a VDOM configuration by first entering the commands:

config vdom

edit <vdom_name>

Restoring a configuration

To restore the FortiGate configuration using the GUI:
  1. Click on the user name in the upper right-hand corner of the screen and select Configuration > Restore.
  2. Identify the source of the configuration file to be restored: your Local PC or a USB Disk.

    The USB Disk option will not be available if no USB drive is inserted in the USB port. You can restore from the FortiManager using the CLI.

  3. Click Upload, locate the configuration file, and click Open.
  4. Enter the password if required.
  5. Click OK.
To restore the FortiGate configuration using the CLI:

execute restore config management-station normal 0

or:

execute restore config usb <filename> [<password>]

or for FTP, note that port number, username are optional depending on the FTP site:

execute restore config ftp <backup_filename> <ftp_server> [<port>] [<user_name>] [<password>]

or for TFTP:

execute restore config tftp <backup_filename> <tftp_server> <password>

The FortiGate will load the configuration file and restart. Once the restart has completed, verify that the configuration has been restored.

Troubleshooting

When restoring a configuration, errors may occur, but the solutions are usually straightforward.

Error message

Reason and Solution

Configuration file error

This error occurs when attempting to upload a configuration file that is incompatible with the device. This may be due to the configuration file being for a different model or being saved from a different version of firmware.

Solution: Upload a configuration file that is for the correct model of FortiGate device and the correct version of the firmware.

Invalid password

When the configuration file is saved, it can be protected by a password. The password entered during the upload process is not matching the one associated with the configuration file.

Solution: Use the correct password if the file is password protected.

Configuration revision

You can manage multiple versions of configuration files on models that have a 512MB flash memory and higher. Revision control requires either a configured central management server or the local hard drive, if your FortiGate has this feature. Typically, configuration backup to local drive is not available on lower-end models.

The central management server can either be a FortiManager unit or FortiGate Cloud.

If central management is not configured on your FortiGate unit, a message appears instructing you to either

  • Enable central management, or
  • Obtain a valid license.

When revision control is enabled on your FortiGate unit, and configuration backups have been made, a list of saved revisions of those backed-up configurations appears.

Configuration revisions are viewed by clicking on the user name in the upper right-hand corner of the screen and selecting Configuration > Revisions.

Backup and restore the local certificates

This procedure exports a server (local) certificate and private key together as a password protected PKCS12 file. The export file is created through a customer-supplied TFTP server. Ensure that your TFTP server is running and accessible to the FortiGate before you enter the command.

To back up the local certificates:

Connect to the CLI and use the following command:

execute vpn certificate local export tftp <cert_name> <filename> <tftp_ip>

where:

  • <cert_name> is the name of the server certificate.
  • <filename> is a name for the output file.
  • <tftp_ip> is the IP address assigned to the TFTP server host interface.
To restore the local certificates using the GUI:
  1. Move the output file from the TFTP server location to the management computer.
  2. Go to System > Certificates and click Import > Local.
  3. Select the certificate type, then click Upload in the Certificate file field.
  4. On the management computer, browse to the file location, select it, and click Open.
  5. If the Type is Certificate, upload the Key file as well.
  6. If required, enter the Password that is required to upload the file or files.
  7. Click OK.
To restore the local certificates using the CLI:

Connect to the CLI and use the following command:

execute vpn certificate local import tftp <filename> <tftp_ip>

Restore factory defaults

There may be a need to reset the FortiGate to its original defaults; for example, to begin with a fresh configuration. There are two options when restoring factory defaults. The first resets the entire device to the original out-of-the-box configuration.

You can reset the device with the following CLI command:

execute factoryreset

When prompted, type y to confirm the reset.

Alternatively, in the CLI you can reset the factory defaults but retain the interface and VDOM configuration with the following command:

execute factoryreset2

Configuration backups

Configuration backups

Once you successfully configure the FortiGate, it is extremely important that you backup the configuration. In some cases, you may need to reset the FortiGate to factory defaults or perform a TFTP upload of the firmware, which will erase the existing configuration. In these instances, the configuration on the device will have to be recreated, unless a backup can be used to restore it. You should also backup the local certificates, as the unique SSL inspection CA and server certificates that are generated by your FortiGate by default are not saved in a system backup.

We also recommend that you backup the configuration after any changes are made, to ensure you have the most current configuration available. Also, backup the configuration before any upgrades of the FortiGate’s firmware. Should anything happen to the configuration during the upgrade, you can easily restore the saved configuration.

Always backup the configuration and store it on the management computer or off-site. You have the option to save the configuration file to various locations including the local PC, USB key, FTP, and TFTP server. The last two are configurable through the CLI only.

If you have VDOMs, you can back up the configuration of the entire FortiGate or only a specific VDOM. Note that if you are using FortiManager or FortiGate Cloud, full backups are performed and the option to backup individual VDOMs will not appear.

Note

You can also backup and restore your configuration using Secure File Copy (SCP). See How to download/upload a FortiGate configuration file using secure file copy (SCP).

You enable SCP support using the following command:

config system global

set admin-scp enable

end

For more information about this command and about SCP support, see config system global.

Backing up the configuration

To backup the configuration using the GUI:
  1. Click on the user name in the upper right-hand corner of the screen and select Configuration > Backup.
  2. Direct the backup to your Local PC or to a USB Disk.

    The USB Disk option will not be available if no USB drive is inserted in the USB port. You can also backup to the FortiManager using the CLI.

  3. If VDOMs are enabled, indicate whether the scope of the backup is the entire FortiGate configuration (Global) or only a specific VDOM configuration (VDOM).

    If backing up a VDOM configuration, select the VDOM name from the list.

  4. Enable Encryption. Encryption must be enabled on the backup file to back up VPN certificates.
  5. Enter a password, and enter it again to confirm it. This password will be required to restore the configuration.
  6. Click OK.
  7. When prompted, select a location on the PC or USB disk to save the configuration file. The configuration file will have a .conf extension.
To backup the configuration using the CLI:

Use one of the following commands:

execute backup config management-station <comment>

or:

execute backup config usb <backup_filename> [<backup_password>]

or for FTP, note that port number, username are optional depending on the FTP site:

execute backup config ftp <backup_filename> <ftp_server> [<port>] [<user_name>] [<password>]

or for TFTP:

execute backup config tftp <backup_filename> <tftp_servers> <password>

Use the same commands to backup a VDOM configuration by first entering the commands:

config vdom

edit <vdom_name>

Restoring a configuration

To restore the FortiGate configuration using the GUI:
  1. Click on the user name in the upper right-hand corner of the screen and select Configuration > Restore.
  2. Identify the source of the configuration file to be restored: your Local PC or a USB Disk.

    The USB Disk option will not be available if no USB drive is inserted in the USB port. You can restore from the FortiManager using the CLI.

  3. Click Upload, locate the configuration file, and click Open.
  4. Enter the password if required.
  5. Click OK.
To restore the FortiGate configuration using the CLI:

execute restore config management-station normal 0

or:

execute restore config usb <filename> [<password>]

or for FTP, note that port number, username are optional depending on the FTP site:

execute restore config ftp <backup_filename> <ftp_server> [<port>] [<user_name>] [<password>]

or for TFTP:

execute restore config tftp <backup_filename> <tftp_server> <password>

The FortiGate will load the configuration file and restart. Once the restart has completed, verify that the configuration has been restored.

Troubleshooting

When restoring a configuration, errors may occur, but the solutions are usually straightforward.

Error message

Reason and Solution

Configuration file error

This error occurs when attempting to upload a configuration file that is incompatible with the device. This may be due to the configuration file being for a different model or being saved from a different version of firmware.

Solution: Upload a configuration file that is for the correct model of FortiGate device and the correct version of the firmware.

Invalid password

When the configuration file is saved, it can be protected by a password. The password entered during the upload process is not matching the one associated with the configuration file.

Solution: Use the correct password if the file is password protected.

Configuration revision

You can manage multiple versions of configuration files on models that have a 512MB flash memory and higher. Revision control requires either a configured central management server or the local hard drive, if your FortiGate has this feature. Typically, configuration backup to local drive is not available on lower-end models.

The central management server can either be a FortiManager unit or FortiGate Cloud.

If central management is not configured on your FortiGate unit, a message appears instructing you to either

  • Enable central management, or
  • Obtain a valid license.

When revision control is enabled on your FortiGate unit, and configuration backups have been made, a list of saved revisions of those backed-up configurations appears.

Configuration revisions are viewed by clicking on the user name in the upper right-hand corner of the screen and selecting Configuration > Revisions.

Backup and restore the local certificates

This procedure exports a server (local) certificate and private key together as a password protected PKCS12 file. The export file is created through a customer-supplied TFTP server. Ensure that your TFTP server is running and accessible to the FortiGate before you enter the command.

To back up the local certificates:

Connect to the CLI and use the following command:

execute vpn certificate local export tftp <cert_name> <filename> <tftp_ip>

where:

  • <cert_name> is the name of the server certificate.
  • <filename> is a name for the output file.
  • <tftp_ip> is the IP address assigned to the TFTP server host interface.
To restore the local certificates using the GUI:
  1. Move the output file from the TFTP server location to the management computer.
  2. Go to System > Certificates and click Import > Local.
  3. Select the certificate type, then click Upload in the Certificate file field.
  4. On the management computer, browse to the file location, select it, and click Open.
  5. If the Type is Certificate, upload the Key file as well.
  6. If required, enter the Password that is required to upload the file or files.
  7. Click OK.
To restore the local certificates using the CLI:

Connect to the CLI and use the following command:

execute vpn certificate local import tftp <filename> <tftp_ip>

Restore factory defaults

There may be a need to reset the FortiGate to its original defaults; for example, to begin with a fresh configuration. There are two options when restoring factory defaults. The first resets the entire device to the original out-of-the-box configuration.

You can reset the device with the following CLI command:

execute factoryreset

When prompted, type y to confirm the reset.

Alternatively, in the CLI you can reset the factory defaults but retain the interface and VDOM configuration with the following command:

execute factoryreset2