Fortinet black logo

Administration Guide

Configuration backups

Once you successfully configure the FortiGate, it is extremely important that you back up the configuration. In some cases, you may need to reset the FortiGate to factory defaults or perform a TFTP upload of the firmware, which will erase the existing configuration. In these instances, the configuration on the device will have to be recreated, unless a backup can be used to restore it.

You can use the GUI or CLI to back up the configuration in FortiOS or YAML format. You have the option to save the configuration file in FortiOS format to various locations including the local PC, USB key, FTP, and TFTP server. FTP and TFTP are only configurable through the CLI. In YAML format, configuration files can be backed up or restored on an FTP or TFTP server through the CLI.

This topic includes the following information:

Backing up and restoring configurations from the GUI

Configurations can be backed up using the GUI to your PC or a USB disk.

Field

Description

Scope

When the FortiGate is in multi-vdom mode and a user is logged in as a global administrator.

Backup to

You can choose where to save the configuration backup file.

  • Local PC: Save the configuration file to your PC.

  • USB Disk: Save the configuration file to an external USB disk. This option is not available if there is no USB drive inserted in the USB port.

You can also back up to FortiManager using the CLI.

File format The configuration file can be saved in FortiOS or YAML format.
Password mask

Use password masking when sending a configuration file to a third party. When password masking is enabled, passwords and secrets will be replaced in the configuration file with FortinetPasswordMask.

Encryption Enable Encryption to encrypt the configuration file. A configuration file cannot be restored on the FortiGate without a set password. Encryption must be enabled on the backup file to back up VPN certificates.
To back up the configuration in FortiOS format using the GUI:
  1. Click on the user name in the upper right-hand corner of the screen and select Configuration > Backup.
  2. Direct the backup to your Local PC or to a USB Disk.
  3. Enable Encryption.
    Note

    This is recommended to secure your backup configurations and prevent unauthorized parties from reloading your configuration.

  4. Enter a password, and enter it again to confirm it. This password will be required to restore the configuration.
  5. Click OK.
  6. When prompted, select a location on the PC or USB disk to save the configuration file. The configuration file will have a .conf extension.
To back up the configuration in YAML format using the GUI:
  1. Click on the user name in the upper right-hand corner of the screen and select Configuration > Backup.
  2. Direct the backup to your Local PC or to a USB Disk.
  3. Select YAML for the File format.

  4. Click OK.

When backing up a configuration that will be shared with a third party, such as Fortinet Inc. Support, passwords and secrets should be obfuscated from the configuration to avoid information being unintentionally leaked. Password masking can be completed in the Backup System Configuration page and in the CLI. When password masking is enabled, passwords and secrets will be replaced in the configuration file with FortinetPasswordMask.

To mask passwords in the GUI:
  1. Click on the username in the upper right-hand corner of the screen and select Configuration > Backup.

  2. Select YAML as the File format.

  3. Enable Password mask. A warning message is displayed.

  4. Click OK. The configuration file is saved to your computer with passwords and secrets obfuscated.

The following is an example of output with password masking enabled:

config system admin   
    edit "1"
        set accprofile "prof_admin"
        set vdom "root"
        set password FortinetPasswordMask
    next
end
config vpn ipsec phase1-interface
    edit "vpn-1"
        set interface "port1"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set comments "VPN: vpn-1 (Created by VPN wizard)"
        set wizard-type static-fortigate
        set remote-gw 172.16.200.55
        set psksecret FortinetPasswordMask
    next
end
config wireless-controller vap
    edit "ssid-1"
        set passphrase FortinetPasswordMask
        set schedule "always"
    next
end

Restoring configuration files from the GUI

Configuration files can be used to restore the FortiGate to a previous configuration in the Restore System Configuration page.

To restore the FortiGate configuration using the GUI:
  1. Click on the user name in the upper right-hand corner of the screen and select Configuration > Restore.
  2. Identify the source of the configuration file to be restored: your Local PC or a USB Disk.

    The USB Disk option will not be available if no USB drive is inserted in the USB port. You can restore from the FortiManager using the CLI.

  3. Click Upload, locate the configuration file, and click Open.
  4. Enter the password if required.
  5. Click OK.

When restoring a configuration file that has password masking enabled, obfuscated passwords and secrets will be restored with the password mask.

Note

Restoring the FortiGate with a configuration with passwords obfuscated is not recommended.

To restore an obfuscated YAML configuration using the GUI:
  1. Click on the user name in the upper right-hand corner of the screen and select Configuration > Restore.

  2. Click Upload. The File Explorer is displayed.

  3. Navigate to the configuration file and click Open.

  4. (Optional) Enter the file password in the Password field.

  5. Click OK. The Confirm pane is displayed with a warning.

  6. Toggle the acknowledgment.

  7. Click OK.

Backing up and restoring configurations from the CLI

Configuration backups in the CLI are performed using the execute backup commands and can be backed up in FortiOS and YAML format.

Configuration files can be backed up to various locations depending on the command:

  • flash: Backup the configuration file to the flash drive.
  • ftp: Backup the configuration file to an FTP server.

  • management-station: Backup the configuration file to a management station, such as FortiManager or FortiGate Cloud.

  • sftp: Backup the configuration file to a SFTP server.

  • tftp: Backup the configuration file to a TFTP server.

  • usb: Backup the configuration file to an external USB drive.

  • usb-mode: Backup the configuration file for USB mode.

Command

Description

# execute backup config

Back up the configuration in FortiOS format.

Backup your configuration file to:

  • flash

  • ftp

  • management-station

  • sftp

  • tftp

  • usb

  • usb-mode

# execute backup full-config

Backup the configuration, including backups of default configuration settings.

Backup your configuration file to:

  • ftp

  • sftp

  • tftp

  • usb

  • usb-mode

# execute backup yaml-config

Backup the configuration in YAML format.

Backup your configuration file to:

  • ftp

  • tftp

# execute backup obfuscated-config

Backup the configuration with passwords and secrets obfuscated.

Backup your configuration file to:

  • ftp

  • management-station

  • sftp

  • tftp

  • usb

# execute backup obfuscated-full-config

Backup the configuration (including default configuration settings) with passwords and secrets obfuscated.

Backup your configuration file to:

  • ftp

  • sftp

  • tftp

  • usb

# execute backup obfuscated-yaml-config

Backup the configuration in YAML format with passwords and secrets obfuscated.

Backup your configuration file to:

  • ftp

  • tftp

To back up the configuration in FortiOS format using the CLI:

For FTP, note that port number, username are optional depending on the FTP site:

# execute backup config ftp <backup_filename> <ftp_server>[<:ftp_port>] [<user_name>] [<password>] [<backup_password>]

or for TFTP:

# execute backup config tftp <backup_filename> <tftp_servers> [<backup_password>]

or for SFTP:

# execute backup config sftp <backup_filename> <sftp_server>[<:sftp_port>] <user> <password> [<backup_password>]

or:

# execute backup config management-station <comment>

or:

# execute backup config usb <backup_filename> [<backup_password>]

Use the same commands to backup a VDOM configuration by first entering the commands:

config vdom
    edit <vdom_name>

See Backing up and restoring configurations in multi VDOM mode for more information.

When backing up a configuration in YAML format, if it is not already specified in the file name, .yaml will be appended to the end. For example, if the file name entered is 301E.conf, the name will become 301E.conf.yaml after the configuration is backed up.

To back up the configuration in YAML format using the CLI:
# execute backup yaml-config {ftp | tftp} <filename> <server> [username] [password]

For example:

# execute backup yaml-config  tftp  301E.conf 172.16.200.55
    Please wait...
    The suffix '.yaml' will be appended to the filename if user does not add it specifically.
    Connect to tftp server 172.16.200.55 ...
    #
    Send config file to tftp server OK.

Configuration files can be configured with obfuscated passwords and secrets to not unintentionally leak information when sharing configuration files with third parties.

To mask passwords in a configuration backup in the CLI:
# execute backup obfuscated-config {ftp | management-station | sftp | tftp | usb}
To mask passwords in the full configuration backup in the CLI:
# execute backup obfuscated-full-config {ftp | sftp | tftp | usb}
To mask passwords in a configuration backup with YAML formatting in the CLI:
# execute backup obfuscated-yaml-config {ftp | tftp}
Note

If a configuration is being backed up on a server, server information must be included with the command. Other information that may be required with an execute backup command includes file names, passwords, and comments.

Restoring configuration files from the CLI

Configuration files can be used to restore the FortiGate using the CLI.

Command

Description

# execute restore config

Restore a configuration that is in FortiOS or YAML format. The file format is automatically detected when it is being restored.

Configurations can be loaded from:

  • flash: Load the configuration file from flash to firewall.
  • ftp: Load the configuration file from an FTP server.

  • management-station: Load the configuration from a management station.

  • tftp: Load the configuration from from a TFTP server.

  • usb: Load the configuration file from an external USB disk to firewall.

  • usb-mode: Load the configuration file from an external USB disk and reboot.

To restore the FortiGate configuration using the CLI:

For FTP, note that port number, username are optional depending on the FTP site:

# execute restore config ftp <backup_filename> <ftp_server>[<:port>] [<user_name>] [<password>] [<backup_password>]

or for TFTP:

# execute restore config tftp <backup_filename> <tftp_server> [<backup_password>]

For restoring the configuration from FortiManager or FortiGate Cloud:

# execute restore config management-station normal <revision ID>

or:

# execute restore config usb <backup_filename> [<backup_password>]

The FortiGate will load the configuration file and restart. Once the restart has completed, verify that the configuration has been restored.

Troubleshooting

When restoring a configuration, errors may occur, but the solutions are usually straightforward.

Error message

Reason and Solution

Configuration file error

This error occurs when attempting to upload a configuration file that is incompatible with the device. This may be due to the configuration file being for a different model or being saved from a different version of firmware.

Solution: Upload a configuration file that is for the correct model of FortiGate device and the correct version of the firmware.

Invalid password

When the configuration file is saved, it can be protected by a password. The password entered during the upload process is not matching the one associated with the configuration file.

Solution: Use the correct password if the file is password protected.

Configuration revision

You can manage multiple versions of configuration files on models that have a 512MB flash memory and higher. Revision control requires either a configured central management server or the local hard drive, if your FortiGate has this feature. Typically, configuration backup to local drive is not available on lower-end models.

Central management server

The central management server can either be a FortiManager unit or FortiGate Cloud.

If central management is not configured on your FortiGate, a message appears instructing you to either enable central management, or obtain a valid license.

To enable central management from the GUI:
  1. Go to Security Fabric > Fabric Connectors and double-click the Central Management card.

  2. Set the Status to Enabled and select a Type.

  3. Click OK.

To enable central management from the CLI:
config system central-management
    set type {fortimanager | fortiguard}
    set mode backup
    set fmg <IP address>
end
To backup to the management server:
# execute backup config management-station <comment>
To view a backed up revision:
# execute restore config management-station normal 0
To restore a backed up revision:
# execute restore config management-station normal <revision ID>

Backing up to a local disk

When revision control is enabled on your FortiGate unit, and configuration backups have been made, a list of saved revisions of those backed-up configurations appears.

Configuration backup occurs by default with firmware upgrades but can also be configured to occur every time you log out.

To configure configuration backup when logging out:
config system global
  set revision-backup-on-logout enable
end
To manually force backup:
# execute backup config flash <comment>

Configuration revisions are viewed by clicking on the user name in the upper right-hand corner of the screen and selecting Configuration > Revisions.

To view a list of revisions backed up to the disk from the CLI:
# execute revision list config
To restore a configuration from the CLI:
# execute restore config flash <revision ID>

Restore factory defaults

There may be a need to reset the FortiGate to its original defaults; for example, to begin with a fresh configuration. There are two options when restoring factory defaults. The first resets the entire device to the original out-of-the-box configuration.

You can reset the device with the following CLI command:

# execute factoryreset

When prompted, type y to confirm the reset.

Alternatively, in the CLI you can reset the factory defaults but retain the interface and VDOM configuration with the following command:

# execute factoryreset2

Secure file copy

You can also back up and restore your configuration using Secure File Copy (SCP). See How to download a FortiGate configuration file and upload firmware file using secure file copy (SCP).

You enable SCP support using the following command:

config system global
    set admin-scp enable
end

For more information about this command and about SCP support, see config system global.

Once you successfully configure the FortiGate, it is extremely important that you back up the configuration. In some cases, you may need to reset the FortiGate to factory defaults or perform a TFTP upload of the firmware, which will erase the existing configuration. In these instances, the configuration on the device will have to be recreated, unless a backup can be used to restore it.

You can use the GUI or CLI to back up the configuration in FortiOS or YAML format. You have the option to save the configuration file in FortiOS format to various locations including the local PC, USB key, FTP, and TFTP server. FTP and TFTP are only configurable through the CLI. In YAML format, configuration files can be backed up or restored on an FTP or TFTP server through the CLI.

This topic includes the following information:

Backing up and restoring configurations from the GUI

Configurations can be backed up using the GUI to your PC or a USB disk.

Field

Description

Scope

When the FortiGate is in multi-vdom mode and a user is logged in as a global administrator.

Backup to

You can choose where to save the configuration backup file.

  • Local PC: Save the configuration file to your PC.

  • USB Disk: Save the configuration file to an external USB disk. This option is not available if there is no USB drive inserted in the USB port.

You can also back up to FortiManager using the CLI.

File format The configuration file can be saved in FortiOS or YAML format.
Password mask

Use password masking when sending a configuration file to a third party. When password masking is enabled, passwords and secrets will be replaced in the configuration file with FortinetPasswordMask.

Encryption Enable Encryption to encrypt the configuration file. A configuration file cannot be restored on the FortiGate without a set password. Encryption must be enabled on the backup file to back up VPN certificates.
To back up the configuration in FortiOS format using the GUI:
  1. Click on the user name in the upper right-hand corner of the screen and select Configuration > Backup.
  2. Direct the backup to your Local PC or to a USB Disk.
  3. Enable Encryption.
    Note

    This is recommended to secure your backup configurations and prevent unauthorized parties from reloading your configuration.

  4. Enter a password, and enter it again to confirm it. This password will be required to restore the configuration.
  5. Click OK.
  6. When prompted, select a location on the PC or USB disk to save the configuration file. The configuration file will have a .conf extension.
To back up the configuration in YAML format using the GUI:
  1. Click on the user name in the upper right-hand corner of the screen and select Configuration > Backup.
  2. Direct the backup to your Local PC or to a USB Disk.
  3. Select YAML for the File format.

  4. Click OK.

When backing up a configuration that will be shared with a third party, such as Fortinet Inc. Support, passwords and secrets should be obfuscated from the configuration to avoid information being unintentionally leaked. Password masking can be completed in the Backup System Configuration page and in the CLI. When password masking is enabled, passwords and secrets will be replaced in the configuration file with FortinetPasswordMask.

To mask passwords in the GUI:
  1. Click on the username in the upper right-hand corner of the screen and select Configuration > Backup.

  2. Select YAML as the File format.

  3. Enable Password mask. A warning message is displayed.

  4. Click OK. The configuration file is saved to your computer with passwords and secrets obfuscated.

The following is an example of output with password masking enabled:

config system admin   
    edit "1"
        set accprofile "prof_admin"
        set vdom "root"
        set password FortinetPasswordMask
    next
end
config vpn ipsec phase1-interface
    edit "vpn-1"
        set interface "port1"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set comments "VPN: vpn-1 (Created by VPN wizard)"
        set wizard-type static-fortigate
        set remote-gw 172.16.200.55
        set psksecret FortinetPasswordMask
    next
end
config wireless-controller vap
    edit "ssid-1"
        set passphrase FortinetPasswordMask
        set schedule "always"
    next
end

Restoring configuration files from the GUI

Configuration files can be used to restore the FortiGate to a previous configuration in the Restore System Configuration page.

To restore the FortiGate configuration using the GUI:
  1. Click on the user name in the upper right-hand corner of the screen and select Configuration > Restore.
  2. Identify the source of the configuration file to be restored: your Local PC or a USB Disk.

    The USB Disk option will not be available if no USB drive is inserted in the USB port. You can restore from the FortiManager using the CLI.

  3. Click Upload, locate the configuration file, and click Open.
  4. Enter the password if required.
  5. Click OK.

When restoring a configuration file that has password masking enabled, obfuscated passwords and secrets will be restored with the password mask.

Note

Restoring the FortiGate with a configuration with passwords obfuscated is not recommended.

To restore an obfuscated YAML configuration using the GUI:
  1. Click on the user name in the upper right-hand corner of the screen and select Configuration > Restore.

  2. Click Upload. The File Explorer is displayed.

  3. Navigate to the configuration file and click Open.

  4. (Optional) Enter the file password in the Password field.

  5. Click OK. The Confirm pane is displayed with a warning.

  6. Toggle the acknowledgment.

  7. Click OK.

Backing up and restoring configurations from the CLI

Configuration backups in the CLI are performed using the execute backup commands and can be backed up in FortiOS and YAML format.

Configuration files can be backed up to various locations depending on the command:

  • flash: Backup the configuration file to the flash drive.
  • ftp: Backup the configuration file to an FTP server.

  • management-station: Backup the configuration file to a management station, such as FortiManager or FortiGate Cloud.

  • sftp: Backup the configuration file to a SFTP server.

  • tftp: Backup the configuration file to a TFTP server.

  • usb: Backup the configuration file to an external USB drive.

  • usb-mode: Backup the configuration file for USB mode.

Command

Description

# execute backup config

Back up the configuration in FortiOS format.

Backup your configuration file to:

  • flash

  • ftp

  • management-station

  • sftp

  • tftp

  • usb

  • usb-mode

# execute backup full-config

Backup the configuration, including backups of default configuration settings.

Backup your configuration file to:

  • ftp

  • sftp

  • tftp

  • usb

  • usb-mode

# execute backup yaml-config

Backup the configuration in YAML format.

Backup your configuration file to:

  • ftp

  • tftp

# execute backup obfuscated-config

Backup the configuration with passwords and secrets obfuscated.

Backup your configuration file to:

  • ftp

  • management-station

  • sftp

  • tftp

  • usb

# execute backup obfuscated-full-config

Backup the configuration (including default configuration settings) with passwords and secrets obfuscated.

Backup your configuration file to:

  • ftp

  • sftp

  • tftp

  • usb

# execute backup obfuscated-yaml-config

Backup the configuration in YAML format with passwords and secrets obfuscated.

Backup your configuration file to:

  • ftp

  • tftp

To back up the configuration in FortiOS format using the CLI:

For FTP, note that port number, username are optional depending on the FTP site:

# execute backup config ftp <backup_filename> <ftp_server>[<:ftp_port>] [<user_name>] [<password>] [<backup_password>]

or for TFTP:

# execute backup config tftp <backup_filename> <tftp_servers> [<backup_password>]

or for SFTP:

# execute backup config sftp <backup_filename> <sftp_server>[<:sftp_port>] <user> <password> [<backup_password>]

or:

# execute backup config management-station <comment>

or:

# execute backup config usb <backup_filename> [<backup_password>]

Use the same commands to backup a VDOM configuration by first entering the commands:

config vdom
    edit <vdom_name>

See Backing up and restoring configurations in multi VDOM mode for more information.

When backing up a configuration in YAML format, if it is not already specified in the file name, .yaml will be appended to the end. For example, if the file name entered is 301E.conf, the name will become 301E.conf.yaml after the configuration is backed up.

To back up the configuration in YAML format using the CLI:
# execute backup yaml-config {ftp | tftp} <filename> <server> [username] [password]

For example:

# execute backup yaml-config  tftp  301E.conf 172.16.200.55
    Please wait...
    The suffix '.yaml' will be appended to the filename if user does not add it specifically.
    Connect to tftp server 172.16.200.55 ...
    #
    Send config file to tftp server OK.

Configuration files can be configured with obfuscated passwords and secrets to not unintentionally leak information when sharing configuration files with third parties.

To mask passwords in a configuration backup in the CLI:
# execute backup obfuscated-config {ftp | management-station | sftp | tftp | usb}
To mask passwords in the full configuration backup in the CLI:
# execute backup obfuscated-full-config {ftp | sftp | tftp | usb}
To mask passwords in a configuration backup with YAML formatting in the CLI:
# execute backup obfuscated-yaml-config {ftp | tftp}
Note

If a configuration is being backed up on a server, server information must be included with the command. Other information that may be required with an execute backup command includes file names, passwords, and comments.

Restoring configuration files from the CLI

Configuration files can be used to restore the FortiGate using the CLI.

Command

Description

# execute restore config

Restore a configuration that is in FortiOS or YAML format. The file format is automatically detected when it is being restored.

Configurations can be loaded from:

  • flash: Load the configuration file from flash to firewall.
  • ftp: Load the configuration file from an FTP server.

  • management-station: Load the configuration from a management station.

  • tftp: Load the configuration from from a TFTP server.

  • usb: Load the configuration file from an external USB disk to firewall.

  • usb-mode: Load the configuration file from an external USB disk and reboot.

To restore the FortiGate configuration using the CLI:

For FTP, note that port number, username are optional depending on the FTP site:

# execute restore config ftp <backup_filename> <ftp_server>[<:port>] [<user_name>] [<password>] [<backup_password>]

or for TFTP:

# execute restore config tftp <backup_filename> <tftp_server> [<backup_password>]

For restoring the configuration from FortiManager or FortiGate Cloud:

# execute restore config management-station normal <revision ID>

or:

# execute restore config usb <backup_filename> [<backup_password>]

The FortiGate will load the configuration file and restart. Once the restart has completed, verify that the configuration has been restored.

Troubleshooting

When restoring a configuration, errors may occur, but the solutions are usually straightforward.

Error message

Reason and Solution

Configuration file error

This error occurs when attempting to upload a configuration file that is incompatible with the device. This may be due to the configuration file being for a different model or being saved from a different version of firmware.

Solution: Upload a configuration file that is for the correct model of FortiGate device and the correct version of the firmware.

Invalid password

When the configuration file is saved, it can be protected by a password. The password entered during the upload process is not matching the one associated with the configuration file.

Solution: Use the correct password if the file is password protected.

Configuration revision

You can manage multiple versions of configuration files on models that have a 512MB flash memory and higher. Revision control requires either a configured central management server or the local hard drive, if your FortiGate has this feature. Typically, configuration backup to local drive is not available on lower-end models.

Central management server

The central management server can either be a FortiManager unit or FortiGate Cloud.

If central management is not configured on your FortiGate, a message appears instructing you to either enable central management, or obtain a valid license.

To enable central management from the GUI:
  1. Go to Security Fabric > Fabric Connectors and double-click the Central Management card.

  2. Set the Status to Enabled and select a Type.

  3. Click OK.

To enable central management from the CLI:
config system central-management
    set type {fortimanager | fortiguard}
    set mode backup
    set fmg <IP address>
end
To backup to the management server:
# execute backup config management-station <comment>
To view a backed up revision:
# execute restore config management-station normal 0
To restore a backed up revision:
# execute restore config management-station normal <revision ID>

Backing up to a local disk

When revision control is enabled on your FortiGate unit, and configuration backups have been made, a list of saved revisions of those backed-up configurations appears.

Configuration backup occurs by default with firmware upgrades but can also be configured to occur every time you log out.

To configure configuration backup when logging out:
config system global
  set revision-backup-on-logout enable
end
To manually force backup:
# execute backup config flash <comment>

Configuration revisions are viewed by clicking on the user name in the upper right-hand corner of the screen and selecting Configuration > Revisions.

To view a list of revisions backed up to the disk from the CLI:
# execute revision list config
To restore a configuration from the CLI:
# execute restore config flash <revision ID>

Restore factory defaults

There may be a need to reset the FortiGate to its original defaults; for example, to begin with a fresh configuration. There are two options when restoring factory defaults. The first resets the entire device to the original out-of-the-box configuration.

You can reset the device with the following CLI command:

# execute factoryreset

When prompted, type y to confirm the reset.

Alternatively, in the CLI you can reset the factory defaults but retain the interface and VDOM configuration with the following command:

# execute factoryreset2

Secure file copy

You can also back up and restore your configuration using Secure File Copy (SCP). See How to download a FortiGate configuration file and upload firmware file using secure file copy (SCP).

You enable SCP support using the following command:

config system global
    set admin-scp enable
end

For more information about this command and about SCP support, see config system global.