Configuration backups and reset
Once you successfully configure the FortiGate, it is extremely important that you back up the configuration. In some cases, you may need to reset the FortiGate to factory defaults or perform a TFTP upload of the firmware, which will erase the existing configuration. In these instances, the configuration on the device must be recreated, unless a backup can be used to restore it.
You can use the GUI or CLI to back up the configuration in FortiOS or YAML format. You have the option to save the configuration file in FortiOS format to various locations including the local PC, USB key, FTP, and TFTP server. FTP and TFTP are only configurable through the CLI. In YAML format, configuration files can be backed up or restored on an FTP or TFTP server through the CLI.
This topic includes the following information:
Backing up a configuration file requires read/write access. Therefore, administrators with read-only access cannot back up a config file from the FortiGate or through SCP. |
Backing up and restoring configurations from the GUI
Configurations can be backed up using the GUI to your PC or a USB disk.
Field |
Description |
---|---|
Scope |
When the FortiGate is in multi-vdom mode and a user is logged in as a global administrator. |
Backup to |
You can choose where to save the configuration backup file.
You can also back up to FortiManager using the CLI. |
File format | The configuration file can be saved in FortiOS or YAML format. |
Password mask |
Use password masking when sending a configuration file to a third party. When password masking is enabled, passwords and secrets will be replaced in the configuration file with |
Encryption |
Enable Encryption to encrypt the configuration file. A configuration file cannot be restored on the FortiGate without a set password. Encryption must be enabled on the backup file to back up VPN certificates. Encryption is performed using AES-GCM algorithm. |
To back up the configuration in FortiOS format using the GUI:
-
Click on the user name in the upper right-hand corner of the screen and select Configuration > Backup.
-
Direct the backup to your Local PC or to a USB Disk.
The USB Disk option will not be available if no USB drive is inserted in the USB port. You can also backup to the FortiManager using the CLI.
- If VDOMs are enabled, indicate whether the scope of the backup is the entire FortiGate configuration (Global) or only a specific VDOM configuration (VDOM).
If backing up a VDOM configuration, select the VDOM name from the list.
-
Enable Encryption.
This is recommended to secure your backup configurations and prevent unauthorized parties from reloading your configuration.
-
Enter a password, and enter it again to confirm it. This password will be required to restore the configuration.
-
Click OK.
-
When prompted, select a location on the PC or USB disk to save the configuration file. The configuration file will have a .conf extension.
To back up the configuration in YAML format using the GUI:
- Click on the user name in the upper right-hand corner of the screen and select Configuration > Backup.
- Direct the backup to your Local PC or to a USB Disk.
-
Select YAML for the File format.
-
Click OK.
When backing up a configuration that will be shared with a third party, such as Fortinet Inc. Support, passwords and secrets should be obfuscated from the configuration to avoid information being unintentionally leaked. Password masking can be completed in the Backup System Configuration page and in the CLI. When password masking is enabled, passwords and secrets will be replaced in the configuration file with FortinetPasswordMask
.
To mask passwords in the GUI:
-
Click on the username in the upper right-hand corner of the screen and select Configuration > Backup.
-
Select YAML as the File format.
-
Enable Password mask. A warning message is displayed.
-
Click OK. The configuration file is saved to your computer with passwords and secrets obfuscated.
The following is an example of output with password masking enabled:
config system admin edit "1" set accprofile "prof_admin" set vdom "root" set password FortinetPasswordMask next end config vpn ipsec phase1-interface edit "vpn-1" set interface "port1" set peertype any set net-device disable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set comments "VPN: vpn-1 (Created by VPN wizard)" set wizard-type static-fortigate set remote-gw 172.16.200.55 set psksecret FortinetPasswordMask next end config wireless-controller vap edit "ssid-1" set passphrase FortinetPasswordMask set schedule "always" next end
Restoring configuration files from the GUI
Configuration files can be used to restore the FortiGate to a previous configuration in the Restore System Configuration page.
To restore the FortiGate configuration using the GUI:
- Click on the user name in the upper right-hand corner of the screen and select Configuration > Restore.
- Identify the source of the configuration file to be restored: your Local PC or a USB Disk.
The USB Disk option will not be available if no USB drive is inserted in the USB port. You can restore from the FortiManager using the CLI.
- Click Upload, locate the configuration file, and click Open.
- Enter the password if required.
- Click OK.
When restoring a configuration file that has password masking enabled, obfuscated passwords and secrets will be restored with the password mask.
Restoring the FortiGate with a configuration with passwords obfuscated is not recommended. |
To restore an obfuscated YAML configuration using the GUI:
-
Click on the user name in the upper right-hand corner of the screen and select Configuration > Restore.
-
Click Upload. The File Explorer is displayed.
-
Navigate to the configuration file and click Open.
-
(Optional) Enter the file password in the Password field.
-
Click OK. The Confirm pane is displayed with a warning.
-
Toggle the acknowledgment.
-
Click OK.
Backing up and restoring configurations from the CLI
Configuration backups in the CLI are performed using the execute backup
commands and can be backed up in FortiOS and YAML format.
Configuration files can be backed up to various locations depending on the command:
flash
: Backup the configuration file to the flash drive.-
ftp
: Backup the configuration file to an FTP server. -
management-station
: Backup the configuration file to a management station, such as FortiManager or FortiGate Cloud. -
sftp
: Backup the configuration file to a SFTP server. -
tftp
: Backup the configuration file to a TFTP server. -
usb
: Backup the configuration file to an external USB drive. -
usb-mode
: Backup the configuration file for USB mode.
Command |
Description |
---|---|
|
Back up the configuration in FortiOS format. Backup your configuration file to:
|
|
Backup the configuration, including backups of default configuration settings. Backup your configuration file to:
|
|
Backup the configuration in YAML format. Backup your configuration file to:
|
|
Backup the configuration with passwords and secrets obfuscated. Backup your configuration file to:
|
|
Backup the configuration (including default configuration settings) with passwords and secrets obfuscated. Backup your configuration file to:
|
|
Backup the configuration in YAML format with passwords and secrets obfuscated. Backup your configuration file to:
|
To back up the configuration in FortiOS format using the CLI:
For FTP, note that port number, username are optional depending on the FTP site:
# execute backup config ftp <backup_filename> <ftp_server>[<:ftp_port>] [<user_name>] [<password>] [<backup_password>]
or for TFTP:
# execute backup config tftp <backup_filename> <tftp_servers> [<backup_password>]
or for SFTP:
# execute backup config sftp <backup_filename> <sftp_server>[<:sftp_port>] <user> <password> [<backup_password>]
or:
# execute backup config management-station <comment>
or:
# execute backup config usb <backup_filename> [<backup_password>]
Use the same commands to backup a VDOM configuration by first entering the commands:
config vdom edit <vdom_name>
See Backing up and restoring configurations in multi-VDOM mode for more information.
When backing up a configuration in YAML format, if it is not already specified in the file name, .yaml
will be appended to the end. For example, if the file name entered is 301E.conf
, the name will become 301E.conf.yaml
after the configuration is backed up.
To back up the configuration in YAML format using the CLI:
# execute backup yaml-config {ftp | tftp} <filename> <server> [username] [password]
For example:
# execute backup yaml-config tftp 301E.conf 172.16.200.55 Please wait... The suffix '.yaml' will be appended to the filename if user does not add it specifically. Connect to tftp server 172.16.200.55 ... # Send config file to tftp server OK.
Configuration files can be configured with obfuscated passwords and secrets to not unintentionally leak information when sharing configuration files with third parties.
To mask passwords in a configuration backup in the CLI:
# execute backup obfuscated-config {ftp | management-station | sftp | tftp | usb}
To mask passwords in the full configuration backup in the CLI:
# execute backup obfuscated-full-config {ftp | sftp | tftp | usb}
To mask passwords in a configuration backup with YAML formatting in the CLI:
# execute backup obfuscated-yaml-config {ftp | tftp}
If a configuration is being backed up on a server, server information must be included with the command. Other information that may be required with an |
Restoring configuration files from the CLI
Configuration files can be used to restore the FortiGate using the CLI.
Command |
Description |
---|---|
|
Restore a configuration that is in FortiOS or YAML format. The file format is automatically detected when it is being restored. Configurations can be loaded from:
|
To restore the FortiGate configuration using the CLI:
For FTP, note that port number, username are optional depending on the FTP site:
# execute restore config ftp <backup_filename> <ftp_server>[<:port>] [<user_name>] [<password>] [<backup_password>]
or for TFTP:
# execute restore config tftp <backup_filename> <tftp_server> [<backup_password>]
For restoring the configuration from FortiManager or FortiGate Cloud:
# execute restore config management-station normal <revision ID>
or:
# execute restore config usb <backup_filename> [<backup_password>]
The FortiGate will load the configuration file and restart. Once the restart has completed, verify that the configuration has been restored.
Troubleshooting
When restoring a configuration, errors may occur, but the solutions are usually straightforward.
Error message |
Reason and Solution |
---|---|
Configuration file error |
This error occurs when attempting to upload a configuration file that is incompatible with the device. This may be due to the configuration file being for a different model or being saved from a different version of firmware. Solution: Upload a configuration file that is for the correct model of FortiGate device and the correct version of the firmware. |
Invalid password |
When the configuration file is saved, it can be protected by a password. The password entered during the upload process is not matching the one associated with the configuration file. Solution: Use the correct password if the file is password protected. |
Configuration revision
You can manage multiple versions of configuration files on models that have a 512MB flash memory and higher. Revision control requires either a configured central management server or the local hard drive, if your FortiGate has this feature. Typically, configuration backup to local drive is not available on lower-end models.
Central management server
The central management server can either be a FortiManager unit or FortiGate Cloud.
If central management is not configured on your FortiGate, a message appears instructing you to either enable central management, or obtain a valid license.
To enable central management from the GUI:
-
Go to Security Fabric > Fabric Connectors and double-click the Central Management card.
-
Set the Status to Enabled and select a Type.
-
Click OK.
To enable central management from the CLI:
config system central-management set type {fortimanager | fortiguard} set mode backup set fmg <IP address> end
To backup to the management server:
# execute backup config management-station <comment>
To view a backed up revision:
# execute restore config management-station normal 0
To restore a backed up revision:
# execute restore config management-station normal <revision ID>
Backing up to a local disk
When revision control is enabled on your FortiGate unit, and configuration backups have been made, a list of saved revisions of those backed-up configurations appears.
Configuration backup occurs by default with firmware upgrades but can also be configured to occur every time you log out.
To configure configuration backup when logging out:
config system global set revision-backup-on-logout enable end
To manually force backup:
# execute backup config flash <comment>
Configuration revisions are viewed by clicking on the user name in the upper right-hand corner of the screen and selecting Configuration > Revisions.
To view a list of revisions backed up to the disk from the CLI:
# execute revision list config
To restore a configuration from the CLI:
# execute restore config flash <revision ID>
Restore factory defaults
There may be a need to reset the FortiGate to its original defaults; for example, to begin with a fresh configuration. There are two options when restoring factory defaults:
# execute factoryreset |
Reset the device to factory default configuration. The firmware version and antivirus and IPS attack definitions are not changed. |
# execute factoryreset2 |
Reset to factory default configuration without losing management access to the FortiGate. Interface and VDOM configurations, as well as the firmware version and antivirus and IPS attack definitions, are not changed. |
Secure file copy
You can also back up and restore your configuration using Secure File Copy (SCP). See How to download a FortiGate configuration file and upload firmware file using secure file copy (SCP).
You enable SCP support using the following command:
config system global set admin-scp enable end
For more information about this command and about SCP support, see config system global.