Backing up the system
Fortinet recommends that you back up your FortiAnalyzer configuration to your management computer on a regular basis to ensure that, should the system fail, you can quickly get the system back to its original state with minimal affect to the network. You should also back up your configuration after making any changes to the FortiAnalyzer configuration or settings that affect connected devices.
Fortinet recommends backing up all configuration settings from your FortiAnalyzer unit before upgrading the FortiAnalyzer firmware. See Updating the system firmware.
An MD5 checksum is automatically generated in the event log when backing up the configuration. You can verify a backup by comparing the checksum in the log entry with that of the backup file.
FortiAnalyzer uses AES-GCM encryption for backup configurations. |
To back up the FortiAnalyzer configuration:
- Go to System Settings > Dashboard.
- In the System Information widget, click the backup button next to System Configuration. The Backup System dialog box opens
-
Enter and confirm the password you want to use for encryption. The password can be a maximum of 63 characters.
The character "
\
" is used in the FortiAnalyzer CLI as an escape character.If your encryption password contains the
\
character, you must either escape it (by adding an additional\
) or use single quotes around the password when referring to it in the CLI. For example:-
execute backup all-settings ftp 10.0.0.1 backup/backup1.dat admin admin1234 ~jFeS.Z/i\\ilA~gnAaq=8c1n`gCabc
-
execute backup all-settings ftp 10.0.0.1 backup/backup1.dat admin admin1234 '~jFeS.Z/i\ilA~gnAaq=8c1n`gCabc'
-
- Select OK and save the backup file on your management computer.
Configuring automatic backups
You can configure FortiAnalyzer to automatically backup your configuration on a set schedule. This feature can only be configured through the CLI.
To schedule automatic backup of the FortiAnalyzer configuration:
- In the FortiAnalyzer CLI, enter the following command:
config system backup all-settings
- Configure the backup settings:
set status {enable | disable}
set server {<ipv4_address>|<fqdn_str>}
set user <username>
set directory <string>
set week_days {monday tuesday wednesday thursday friday saturday sunday}
set time <hh:mm:ss>
set protocol {ftp | scp | sftp}
set passwd <passwd>
set crptpasswd <passwd>
end
For example, the following configuration uses the FTP protocol to backup the configuration to server 172.20.120.11
in the /usr/local/backup
directory every Monday at 1:00pm.
config system backup all-settings
set status enable
set server 172.20.120.11
set user admin
set directory /usr/local/backup
set week_days monday
set time 13:00:00
set protocol ftp
end
For more information, see the FortiAnalyzer CLI Reference Guide on the Fortinet Documents Library.
To find the MD5 checksum generated with the backup:
- In the GUI, go to System Settings > Event Log.
- In the Changes column for the event log, note the MD5 checksum.
Perform backups using SCP
You can use secure copy protocol (SCP) with a SSH certificate to back up the FortiAnalyzer system configuration.
The following is an example of SSH certificate generation to be used with SCP for configuration backup. This example uses RSA but can also be applied to ED25519 keys.
To configure a SSH certificate for backup using SCP:
- Create a SSH CA user key pair.
ssh-keygen -t rsa -b 4096 -f ~/.ssh/ssh_user_ca
- Create a SSH CA host key pair.
ssh-keygen -t rsa -b 4096 -f ~/.ssh/ssh_host_ca
- Copy the CA host
ssh_host_ca*
to/etc/ssh/
. - Sign the user's public key using the host CA key.
ssh-keygen -s ~/.ssh/ssh_host_ca -I qa -n qa -V +52w ~/.ssh/ssh_user_ca.pub
ssh-keygen -Lf ~/.ssh/ssh_user_ca-cert.pub
/root/.ssh/ssh_user_ca-cert.pub:
Type: ssh-rsa-cert-v01@openssh.com host certificate
Public key: RSA-CERT SHA256:/Ue4vx5n2oUp+XhwLuAkadsfa0YTt7dpuZgbZ8TBNuw
Signing CA: RSA SHA256:/Ue4vx5n2oUp+XhwLuAkIkvadfadTt7dpuZgbZ8TBNuw (using rsa-sha2-512)
Key ID: "qa"
Serial: 0
Valid: from 2023-09-25T14:24:00 to 2024-09-23T14:25:08
Principals: qa
Critical Options: (none)
Extensions: (none)
- Edit the SSH server config file at
/etc/ssh/sshd_config
and make the TrustedUserCAKeys directive to point to the user CA public key.TrustedUserCAKeys /etc/ssh/ssh_host_ca.pub
- Restart the sshd process to make the configuration change take effect..
systemctl restart sshd
- On FortiAnalyzer, configure the SSH certificate.
config sys certificate ssh
edit ssh_cert_1
set certificate "ssh_user_ca-cert.pub"
set private "ssh_user_ca"
end
- Configure backup of all settings using SCP .
execute backup all-settings scp <server IP> <path and file name> <username> <ssh-cert>