Fortinet black logo

Administration Guide

Home FortiGate / FortiOS 7.2.0 Administration Guide
7.2.0
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0

Configuration backups

Configuration backups

Once you successfully configure the FortiGate, it is extremely important that you back up the configuration. You can use the GUI or CLI to back up the configuration in FortiOS format, or you can use the CLI to back up the configuration in YAML format. In some cases, you may need to reset the FortiGate to factory defaults or perform a TFTP upload of the firmware, which will erase the existing configuration. In these instances, the configuration on the device will have to be recreated, unless a backup can be used to restore it. You should also back up the local certificates, as the unique SSL inspection CA and server certificates that are generated by your FortiGate by default are not saved in a system backup.

We also recommend that you back up the configuration after any changes are made, to ensure you have the most current configuration available. Also, back up the configuration before any upgrades of the FortiGate’s firmware. Should anything happen to the configuration during the upgrade, you can easily restore the saved configuration.

Always back up the configuration and store it on the management computer or off-site. You have the option to save the configuration file in FortiOS format to various locations including the local PC, USB key, FTP, and TFTP server. FTP and TFTP are only configurable through the CLI. In YAML format, configuration files can be backed up or restored on an FTP or TFTP server through the CLI.

If you have VDOMs, you can back up the configuration of the entire FortiGate or only a specific VDOM. Note that if you are using FortiManager or FortiGate Cloud, full backups are performed and the option to back up individual VDOMs will not appear.

Note

You can also back up and restore your configuration using Secure File Copy (SCP). See How to download/upload a FortiGate configuration file using secure file copy (SCP).

You enable SCP support using the following command:

config system global

set admin-scp enable

end

For more information about this command and about SCP support, see config system global.

Backing up the configuration

To back up the configuration in FortiOS format using the GUI:
  1. Click on the user name in the upper right-hand corner of the screen and select Configuration > Backup.
  2. Direct the backup to your Local PC or to a USB Disk.

    The USB Disk option will not be available if no USB drive is inserted in the USB port. You can also back up to FortiManager using the CLI.

  3. If VDOMs are enabled, indicate whether the scope of the backup is the entire FortiGate configuration (Global) or only a specific VDOM configuration (VDOM).

    If backing up a VDOM configuration, select the VDOM name from the list.

  4. Enable Encryption. Encryption must be enabled on the backup file to back up VPN certificates.
  5. Enter a password, and enter it again to confirm it. This password will be required to restore the configuration.
  6. Click OK.
  7. When prompted, select a location on the PC or USB disk to save the configuration file. The configuration file will have a .conf extension.
To back up the configuration in FortiOS format using the CLI:

Use one of the following commands:

execute backup config management-station <comment>

or:

execute backup config usb <backup_filename> [<backup_password>]

or for FTP, note that port number, username are optional depending on the FTP site:

execute backup config ftp <backup_filename> <ftp_server>[<:ftp_port>] [<user_name>] [<password>] [<backup_password>]

or for TFTP:

execute backup config tftp <backup_filename> <tftp_servers> [<backup_password>]

or for SFTP:

execute backup config sftp <backup_filename> <sftp_server>[<:sftp_port>] <user> <password> [<backup_password>]

Use the same commands to backup a VDOM configuration by first entering the commands:

config vdom

edit <vdom_name>

Tooltip

In FortiOS format, the configuration can be backed up to IPv4 and IPv6 FTP, TFTP, and SFTP servers.

The configuration can be restored from IPv4 and IPv6 FTP and TFTP servers.
To back up the configuration in YAML format using the CLI:
# execute backup yaml-config {ftp | tftp} <filename> <server> [username] [password]

For example:

# execute backup yaml-config  tftp  301E.yaml 172.16.200.55
    Please wait...
    Connect to tftp server 172.16.200.55 ...
    #
    Send config file to tftp server OK.
Tooltip

In YAML format, the configuration can be backed up to and restored from an FTP or TFTP server.

Restoring a configuration

To restore the FortiGate configuration in FortiOS format using the GUI:
  1. Click on the user name in the upper right-hand corner of the screen and select Configuration > Restore.
  2. Identify the source of the configuration file to be restored: your Local PC or a USB Disk.

    The USB Disk option will not be available if no USB drive is inserted in the USB port. You can restore from the FortiManager using the CLI.

  3. Click Upload, locate the configuration file, and click Open.
  4. Enter the password if required.
  5. Click OK.
To restore the FortiGate configuration in FortiOS format using the CLI:

execute restore config management-station normal 0

or:

execute restore config usb <backup_filename> [<backup_password>]

or for FTP, note that port number, username are optional depending on the FTP site:

execute restore config ftp <backup_filename> <ftp_server>[<:port>] [<user_name>] [<password>] [<backup_password>]

or for TFTP:

execute restore config tftp <backup_filename> <tftp_server> [<backup_password>]

The FortiGate will load the configuration file and restart. Once the restart has completed, verify that the configuration has been restored.

To restore configuration files in YAML format:
# execute restore yaml-config {ftp | tftp} <filename> <server> [username] [password]

For example: 

# execute restore  yaml-config  ftp  301E-1.yaml 172.16.200.55 root sys@qa123456
    This operation will overwrite the current setting and could possibly reboot the system!
    Do you want to continue? (y/n) y
    Please wait...
    Connect to ftp server 172.16.200.55 ...
    Get config file from ftp server OK.
    File check OK.
    #
    The system is going down NOW !!

Troubleshooting

When restoring a configuration, errors may occur, but the solutions are usually straightforward.

Error message

Reason and Solution

Configuration file error

This error occurs when attempting to upload a configuration file that is incompatible with the device. This may be due to the configuration file being for a different model or being saved from a different version of firmware.

Solution: Upload a configuration file that is for the correct model of FortiGate device and the correct version of the firmware.

Invalid password

When the configuration file is saved, it can be protected by a password. The password entered during the upload process is not matching the one associated with the configuration file.

Solution: Use the correct password if the file is password protected.

Configuration revision

You can manage multiple versions of configuration files on models that have a 512MB flash memory and higher. Revision control requires either a configured central management server or the local hard drive, if your FortiGate has this feature. Typically, configuration backup to local drive is not available on lower-end models.

The central management server can either be a FortiManager unit or FortiGate Cloud.

If central management is not configured on your FortiGate unit, a message appears instructing you to either

  • Enable central management, or
  • Obtain a valid license.

When revision control is enabled on your FortiGate unit, and configuration backups have been made, a list of saved revisions of those backed-up configurations appears.

Configuration revisions are viewed by clicking on the user name in the upper right-hand corner of the screen and selecting Configuration > Revisions.

Back up and restore the local certificates

This procedure exports a server (local) certificate and private key together as a password protected PKCS12 file. The export file is created through a customer-supplied TFTP server. Ensure that your TFTP server is running and accessible to the FortiGate before you enter the command.

To back up the local certificates:

Connect to the CLI and use the following command:

execute vpn certificate local export tftp <cert_name> <filename> <tftp_ip>

where:

  • <cert_name> is the name of the server certificate.
  • <filename> is a name for the output file.
  • <tftp_ip> is the IP address assigned to the TFTP server host interface.
To restore the local certificates using the GUI:
  1. Move the output file from the TFTP server location to the management computer.
  2. Go to System > Certificates and click Import > Local.
  3. Select the certificate type, then click Upload in the Certificate file field.
  4. On the management computer, browse to the file location, select it, and click Open.
  5. If the Type is Certificate, upload the Key file as well.
  6. If required, enter the Password that is required to upload the file or files.
  7. Click OK.
To restore the local certificates using the CLI:

Connect to the CLI and use the following command:

execute vpn certificate local import tftp <filename> <tftp_ip>

Restore factory defaults

There may be a need to reset the FortiGate to its original defaults; for example, to begin with a fresh configuration. There are two options when restoring factory defaults. The first resets the entire device to the original out-of-the-box configuration.

You can reset the device with the following CLI command:

execute factoryreset

When prompted, type y to confirm the reset.

Alternatively, in the CLI you can reset the factory defaults but retain the interface and VDOM configuration with the following command:

execute factoryreset2

Previous
Next

Configuration backups

Once you successfully configure the FortiGate, it is extremely important that you back up the configuration. You can use the GUI or CLI to back up the configuration in FortiOS format, or you can use the CLI to back up the configuration in YAML format. In some cases, you may need to reset the FortiGate to factory defaults or perform a TFTP upload of the firmware, which will erase the existing configuration. In these instances, the configuration on the device will have to be recreated, unless a backup can be used to restore it. You should also back up the local certificates, as the unique SSL inspection CA and server certificates that are generated by your FortiGate by default are not saved in a system backup.

We also recommend that you back up the configuration after any changes are made, to ensure you have the most current configuration available. Also, back up the configuration before any upgrades of the FortiGate’s firmware. Should anything happen to the configuration during the upgrade, you can easily restore the saved configuration.

Always back up the configuration and store it on the management computer or off-site. You have the option to save the configuration file in FortiOS format to various locations including the local PC, USB key, FTP, and TFTP server. FTP and TFTP are only configurable through the CLI. In YAML format, configuration files can be backed up or restored on an FTP or TFTP server through the CLI.

If you have VDOMs, you can back up the configuration of the entire FortiGate or only a specific VDOM. Note that if you are using FortiManager or FortiGate Cloud, full backups are performed and the option to back up individual VDOMs will not appear.

Note

You can also back up and restore your configuration using Secure File Copy (SCP). See How to download/upload a FortiGate configuration file using secure file copy (SCP).

You enable SCP support using the following command:

config system global

set admin-scp enable

end

For more information about this command and about SCP support, see config system global.

Backing up the configuration

To back up the configuration in FortiOS format using the GUI:
  1. Click on the user name in the upper right-hand corner of the screen and select Configuration > Backup.
  2. Direct the backup to your Local PC or to a USB Disk.

    The USB Disk option will not be available if no USB drive is inserted in the USB port. You can also back up to FortiManager using the CLI.

  3. If VDOMs are enabled, indicate whether the scope of the backup is the entire FortiGate configuration (Global) or only a specific VDOM configuration (VDOM).

    If backing up a VDOM configuration, select the VDOM name from the list.

  4. Enable Encryption. Encryption must be enabled on the backup file to back up VPN certificates.
  5. Enter a password, and enter it again to confirm it. This password will be required to restore the configuration.
  6. Click OK.
  7. When prompted, select a location on the PC or USB disk to save the configuration file. The configuration file will have a .conf extension.
To back up the configuration in FortiOS format using the CLI:

Use one of the following commands:

execute backup config management-station <comment>

or:

execute backup config usb <backup_filename> [<backup_password>]

or for FTP, note that port number, username are optional depending on the FTP site:

execute backup config ftp <backup_filename> <ftp_server>[<:ftp_port>] [<user_name>] [<password>] [<backup_password>]

or for TFTP:

execute backup config tftp <backup_filename> <tftp_servers> [<backup_password>]

or for SFTP:

execute backup config sftp <backup_filename> <sftp_server>[<:sftp_port>] <user> <password> [<backup_password>]

Use the same commands to backup a VDOM configuration by first entering the commands:

config vdom

edit <vdom_name>

Tooltip

In FortiOS format, the configuration can be backed up to IPv4 and IPv6 FTP, TFTP, and SFTP servers.

The configuration can be restored from IPv4 and IPv6 FTP and TFTP servers.
To back up the configuration in YAML format using the CLI:
# execute backup yaml-config {ftp | tftp} <filename> <server> [username] [password]

For example:

# execute backup yaml-config  tftp  301E.yaml 172.16.200.55
    Please wait...
    Connect to tftp server 172.16.200.55 ...
    #
    Send config file to tftp server OK.
Tooltip

In YAML format, the configuration can be backed up to and restored from an FTP or TFTP server.

Restoring a configuration

To restore the FortiGate configuration in FortiOS format using the GUI:
  1. Click on the user name in the upper right-hand corner of the screen and select Configuration > Restore.
  2. Identify the source of the configuration file to be restored: your Local PC or a USB Disk.

    The USB Disk option will not be available if no USB drive is inserted in the USB port. You can restore from the FortiManager using the CLI.

  3. Click Upload, locate the configuration file, and click Open.
  4. Enter the password if required.
  5. Click OK.
To restore the FortiGate configuration in FortiOS format using the CLI:

execute restore config management-station normal 0

or:

execute restore config usb <backup_filename> [<backup_password>]

or for FTP, note that port number, username are optional depending on the FTP site:

execute restore config ftp <backup_filename> <ftp_server>[<:port>] [<user_name>] [<password>] [<backup_password>]

or for TFTP:

execute restore config tftp <backup_filename> <tftp_server> [<backup_password>]

The FortiGate will load the configuration file and restart. Once the restart has completed, verify that the configuration has been restored.

To restore configuration files in YAML format:
# execute restore yaml-config {ftp | tftp} <filename> <server> [username] [password]

For example: 

# execute restore  yaml-config  ftp  301E-1.yaml 172.16.200.55 root sys@qa123456
    This operation will overwrite the current setting and could possibly reboot the system!
    Do you want to continue? (y/n) y
    Please wait...
    Connect to ftp server 172.16.200.55 ...
    Get config file from ftp server OK.
    File check OK.
    #
    The system is going down NOW !!

Troubleshooting

When restoring a configuration, errors may occur, but the solutions are usually straightforward.

Error message

Reason and Solution

Configuration file error

This error occurs when attempting to upload a configuration file that is incompatible with the device. This may be due to the configuration file being for a different model or being saved from a different version of firmware.

Solution: Upload a configuration file that is for the correct model of FortiGate device and the correct version of the firmware.

Invalid password

When the configuration file is saved, it can be protected by a password. The password entered during the upload process is not matching the one associated with the configuration file.

Solution: Use the correct password if the file is password protected.

Configuration revision

You can manage multiple versions of configuration files on models that have a 512MB flash memory and higher. Revision control requires either a configured central management server or the local hard drive, if your FortiGate has this feature. Typically, configuration backup to local drive is not available on lower-end models.

The central management server can either be a FortiManager unit or FortiGate Cloud.

If central management is not configured on your FortiGate unit, a message appears instructing you to either

  • Enable central management, or
  • Obtain a valid license.

When revision control is enabled on your FortiGate unit, and configuration backups have been made, a list of saved revisions of those backed-up configurations appears.

Configuration revisions are viewed by clicking on the user name in the upper right-hand corner of the screen and selecting Configuration > Revisions.

Back up and restore the local certificates

This procedure exports a server (local) certificate and private key together as a password protected PKCS12 file. The export file is created through a customer-supplied TFTP server. Ensure that your TFTP server is running and accessible to the FortiGate before you enter the command.

To back up the local certificates:

Connect to the CLI and use the following command:

execute vpn certificate local export tftp <cert_name> <filename> <tftp_ip>

where:

  • <cert_name> is the name of the server certificate.
  • <filename> is a name for the output file.
  • <tftp_ip> is the IP address assigned to the TFTP server host interface.
To restore the local certificates using the GUI:
  1. Move the output file from the TFTP server location to the management computer.
  2. Go to System > Certificates and click Import > Local.
  3. Select the certificate type, then click Upload in the Certificate file field.
  4. On the management computer, browse to the file location, select it, and click Open.
  5. If the Type is Certificate, upload the Key file as well.
  6. If required, enter the Password that is required to upload the file or files.
  7. Click OK.
To restore the local certificates using the CLI:

Connect to the CLI and use the following command:

execute vpn certificate local import tftp <filename> <tftp_ip>

Restore factory defaults

There may be a need to reset the FortiGate to its original defaults; for example, to begin with a fresh configuration. There are two options when restoring factory defaults. The first resets the entire device to the original out-of-the-box configuration.

You can reset the device with the following CLI command:

execute factoryreset

When prompted, type y to confirm the reset.

Alternatively, in the CLI you can reset the factory defaults but retain the interface and VDOM configuration with the following command:

execute factoryreset2

Previous
Next