Fortinet black logo

Handbook

Configuration backups

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:662495
Download PDF

Configuration backups

Once you successfully configure the FortiGate, it is extremely important that you backup the configuration. In some cases, you may need to reset the FortiGate to factory defaults or perform a TFTP upload of the firmware, which will erase the existing configuration. In these instances, the configuration on the device will have to be recreated, unless a backup can be used to restore it. You should also backup the local certificates, as the unique SSL inspection CA and server certificates that are generated by your FortiGate by default are not saved in a system backup.

We also recommend that you backup the configuration after any changes are made, to ensure you have the most current configuration available. Also, backup the configuration before any upgrades of the FortiGate’s firmware. Should anything happen to the configuration during the upgrade, you can easily restore the saved configuration.

Always backup the configuration and store it on the management computer or off-site. You have the option to save the configuration file to various locations including the local PC, USB key, FTP, and TFTP server. The last two are configurable through the CLI only.

If you have VDOMs, you can back up the configuration of the entire FortiGate or only a specific VDOM. Note that if you are using FortiManager or FortiCloud, full backups are performed and the option to backup individual VDOMs will not appear.

Note

You can also backup and restore your configuration using Secure File Copy (SCP). See How to download/upload a FortiGate configuration file using secure file copy (SCP).

You enable SCP support using the following command:

config system global

set admin-scp enable

end

For more information about this command and about SCP support, see config system global.

Backing up the configuration using the GUI

  1. Click on admin in the upper right-hand corner of the screen and select Configuration > Backup.
  2. Direct the backup to your Local PC or to a USB Disk.

    The USB Disk option will be grayed out if no USB drive is inserted in the USB port. You can also backup to the FortiManager using the CLI.

  3. If VDOMs are enabled, indicate whether the scope of the backup is for the entire FortiGate configuration (Global) or only a specific VDOM configuration (VDOM).
  4. If backing up a VDOM configuration, select the VDOM name from the list.
  5. Select Encryption.

    Encryption must be enabled on the backup file to back up VPN certificates.

  6. Enter a password and enter it again to confirm it. You will need this password to restore the file.
  7. Select OK.
  8. The web browser will prompt you for a location to save the configuration file. The configuration file will have a .conf extension.

Backing up the configuration using the CLI

Use one of the following commands:

execute backup config management-station <comment>

or:

execute backup config usb <backup_filename> [<backup_password>]

or for FTP, note that port number, username are optional depending on the FTP site:

execute backup config ftp <backup_filename> <ftp_server> [<port>] [<user_name>] [<password>]

or for TFTP:

execute backup config tftp <backup_filename> <tftp_servers> <password>

Use the same commands to backup a VDOM configuration by first entering the commands:

config vdom

edit <vdom_name>

Backup and restore the local certificates

This procedure exports a server (local) certificate and private key together as a password protected PKCS12 file. The export file is created through a customer-supplied TFTP server. Ensure that your TFTP server is running and accessible to the FortiGate before you enter the command.

To back up the local certificates:

Connect to the CLI and use the following command:

execute vpn certificate local export tftp <cert_name> <filename> <tftp_ip>

where:

  • <cert_name> is the name of the server certificate.
  • <filename> is a name for the output file.
  • <tftp_ip> is the IP address assigned to the TFTP server host interface.
To restore the local certificates - GUI:
  1. Move the output file from the TFTP server location to the management computer.
  2. Go to System > Certificates and select Import.
  3. Select the appropriate type of certificate from the dropdown menu and fill in any required fields.
  4. Select Upload. Browse to the location on the management computer where the exported file has been saved, select the file and select Open.
  5. If required, enter the Password needed to upload the exported file.
  6. Select OK.
To restore the local certificates - CLI:

Connect to the CLI and use the following command:

execute vpn certificate local import tftp <filename> <tftp_ip>

Restoring a configuration

Should you need to restore a configuration file, use the following steps:

To restore the FortiGate configuration - GUI:
  1. Click on admin in the upper right-hand corner of the screen and select Configuration > Restore.
  2. Identify the source of the configuration file to be restored : your Local PC or a USB Disk.

    The USB Disk option will be grayed out if no USB drive is inserted in the USB port. You can restore from the FortiManager using the CLI.

  3. Enter the path and file name of the configuration file, or select Browse to locate the file.
  4. Enter a password if required.
  5. Select Restore.
To restore the FortiGate configuration - CLI:

execute restore config management-station normal 0

or:

execute restore config usb <filename> [<password>]

or for FTP, note that port number, username are optional depending on the FTP site:

execute restore config ftp <backup_filename> <ftp_server> [<port>] [<user_name>] [<password>]

or for TFTP:

execute restore config tftp <backup_filename> <tftp_server> <password>

The FortiGate will load the configuration file and restart. Once the restart has completed, verify that the configuration has been restored.

Troubleshooting

When restoring a configuration, errors may occur, but the solutions are usually straightforward.

Error message Reason and Solution

Configuration file error

This error occurs when attempting to upload a configuration file that is incompatible with the device. This may be due to the configuration file being for a different model or being saved from a different version of firmware.

Solution: Upload a configuration file that is for the correct model of FortiGate device and the correct version of the firmware.

Invalid password

When the configuration file is saved, it can be protected by a password. The password entered during the upload process is not matching the one associated with the configuration file.

Solution: Use the correct password if the file is password protected.

Configuration revision

You can manage multiple versions of configuration files on models that have a 512MB flash memory and higher. Revision control requires either a configured central management server or the local hard drive, if your FortiGate has this feature. Typically, configuration backup to local drive is not available on lower-end models.

The central management server can either be a FortiManager unit or FortiCloud.

If central management is not configured on your FortiGate unit, a message appears instructing you to either:

  • Enable central management, or
  • obtain a valid license.

When revision control is enabled on your FortiGate unit, and configuration backups have been made, a list of saved revisions of those backed-up configurations appears.

Configuration revisions are viewed by clicking on admin in the upper right-hand corner of the screen and selecting Configuration > Revisions.

Restore factory defaults

There may be a need to reset the FortiGate to its original defaults; for example, to begin with a fresh configuration. There are two options when restoring factory defaults. The first resets the entire device to the original out-of-the-box configuration.

You can reset using the CLI by entering the command:

execute factoryreset

When prompted, type y to confirm the reset.

Alternatively, in the CLI you can reset the factory defaults but retain the interface and VDOM configuration. Use the following command:

execute factoryreset2

Configuration backups

Once you successfully configure the FortiGate, it is extremely important that you backup the configuration. In some cases, you may need to reset the FortiGate to factory defaults or perform a TFTP upload of the firmware, which will erase the existing configuration. In these instances, the configuration on the device will have to be recreated, unless a backup can be used to restore it. You should also backup the local certificates, as the unique SSL inspection CA and server certificates that are generated by your FortiGate by default are not saved in a system backup.

We also recommend that you backup the configuration after any changes are made, to ensure you have the most current configuration available. Also, backup the configuration before any upgrades of the FortiGate’s firmware. Should anything happen to the configuration during the upgrade, you can easily restore the saved configuration.

Always backup the configuration and store it on the management computer or off-site. You have the option to save the configuration file to various locations including the local PC, USB key, FTP, and TFTP server. The last two are configurable through the CLI only.

If you have VDOMs, you can back up the configuration of the entire FortiGate or only a specific VDOM. Note that if you are using FortiManager or FortiCloud, full backups are performed and the option to backup individual VDOMs will not appear.

Note

You can also backup and restore your configuration using Secure File Copy (SCP). See How to download/upload a FortiGate configuration file using secure file copy (SCP).

You enable SCP support using the following command:

config system global

set admin-scp enable

end

For more information about this command and about SCP support, see config system global.

Backing up the configuration using the GUI

  1. Click on admin in the upper right-hand corner of the screen and select Configuration > Backup.
  2. Direct the backup to your Local PC or to a USB Disk.

    The USB Disk option will be grayed out if no USB drive is inserted in the USB port. You can also backup to the FortiManager using the CLI.

  3. If VDOMs are enabled, indicate whether the scope of the backup is for the entire FortiGate configuration (Global) or only a specific VDOM configuration (VDOM).
  4. If backing up a VDOM configuration, select the VDOM name from the list.
  5. Select Encryption.

    Encryption must be enabled on the backup file to back up VPN certificates.

  6. Enter a password and enter it again to confirm it. You will need this password to restore the file.
  7. Select OK.
  8. The web browser will prompt you for a location to save the configuration file. The configuration file will have a .conf extension.

Backing up the configuration using the CLI

Use one of the following commands:

execute backup config management-station <comment>

or:

execute backup config usb <backup_filename> [<backup_password>]

or for FTP, note that port number, username are optional depending on the FTP site:

execute backup config ftp <backup_filename> <ftp_server> [<port>] [<user_name>] [<password>]

or for TFTP:

execute backup config tftp <backup_filename> <tftp_servers> <password>

Use the same commands to backup a VDOM configuration by first entering the commands:

config vdom

edit <vdom_name>

Backup and restore the local certificates

This procedure exports a server (local) certificate and private key together as a password protected PKCS12 file. The export file is created through a customer-supplied TFTP server. Ensure that your TFTP server is running and accessible to the FortiGate before you enter the command.

To back up the local certificates:

Connect to the CLI and use the following command:

execute vpn certificate local export tftp <cert_name> <filename> <tftp_ip>

where:

  • <cert_name> is the name of the server certificate.
  • <filename> is a name for the output file.
  • <tftp_ip> is the IP address assigned to the TFTP server host interface.
To restore the local certificates - GUI:
  1. Move the output file from the TFTP server location to the management computer.
  2. Go to System > Certificates and select Import.
  3. Select the appropriate type of certificate from the dropdown menu and fill in any required fields.
  4. Select Upload. Browse to the location on the management computer where the exported file has been saved, select the file and select Open.
  5. If required, enter the Password needed to upload the exported file.
  6. Select OK.
To restore the local certificates - CLI:

Connect to the CLI and use the following command:

execute vpn certificate local import tftp <filename> <tftp_ip>

Restoring a configuration

Should you need to restore a configuration file, use the following steps:

To restore the FortiGate configuration - GUI:
  1. Click on admin in the upper right-hand corner of the screen and select Configuration > Restore.
  2. Identify the source of the configuration file to be restored : your Local PC or a USB Disk.

    The USB Disk option will be grayed out if no USB drive is inserted in the USB port. You can restore from the FortiManager using the CLI.

  3. Enter the path and file name of the configuration file, or select Browse to locate the file.
  4. Enter a password if required.
  5. Select Restore.
To restore the FortiGate configuration - CLI:

execute restore config management-station normal 0

or:

execute restore config usb <filename> [<password>]

or for FTP, note that port number, username are optional depending on the FTP site:

execute restore config ftp <backup_filename> <ftp_server> [<port>] [<user_name>] [<password>]

or for TFTP:

execute restore config tftp <backup_filename> <tftp_server> <password>

The FortiGate will load the configuration file and restart. Once the restart has completed, verify that the configuration has been restored.

Troubleshooting

When restoring a configuration, errors may occur, but the solutions are usually straightforward.

Error message Reason and Solution

Configuration file error

This error occurs when attempting to upload a configuration file that is incompatible with the device. This may be due to the configuration file being for a different model or being saved from a different version of firmware.

Solution: Upload a configuration file that is for the correct model of FortiGate device and the correct version of the firmware.

Invalid password

When the configuration file is saved, it can be protected by a password. The password entered during the upload process is not matching the one associated with the configuration file.

Solution: Use the correct password if the file is password protected.

Configuration revision

You can manage multiple versions of configuration files on models that have a 512MB flash memory and higher. Revision control requires either a configured central management server or the local hard drive, if your FortiGate has this feature. Typically, configuration backup to local drive is not available on lower-end models.

The central management server can either be a FortiManager unit or FortiCloud.

If central management is not configured on your FortiGate unit, a message appears instructing you to either:

  • Enable central management, or
  • obtain a valid license.

When revision control is enabled on your FortiGate unit, and configuration backups have been made, a list of saved revisions of those backed-up configurations appears.

Configuration revisions are viewed by clicking on admin in the upper right-hand corner of the screen and selecting Configuration > Revisions.

Restore factory defaults

There may be a need to reset the FortiGate to its original defaults; for example, to begin with a fresh configuration. There are two options when restoring factory defaults. The first resets the entire device to the original out-of-the-box configuration.

You can reset using the CLI by entering the command:

execute factoryreset

When prompted, type y to confirm the reset.

Alternatively, in the CLI you can reset the factory defaults but retain the interface and VDOM configuration. Use the following command:

execute factoryreset2