Backup
FortiPAM configuration contains not only the system settings but also all user information and secret data. It is crucial to have a backup to avoid data loss. Whenever a hardware failure or system relocation is needed, a new FortiPAM can be easily set up by restoring the previous backup configuration. In the case of accidentally deleting data, you can retrieve the original configuration from the backup and paste the data back.
FortiPAM has two ways to back up its configuration:
-
Manually trigger from the user menu. See Backup and restore in Admin.
-
Configure automatically and periodically backup to an FTP, SFTP, HTTP or HTTPS server in System > Backup as discussed here.
|
System Events, secret logs, and videos are not contained in backup configuration file. |
|
|
Whenever restoring a backup configuration, keep in mind that the secret password or key may not be the most recent one. |
To ensure that all credentials are correct in a configuration file, you can enable maintenance mode first so that no password changer is executed. And then manually trigger the configuration backup. See Activate maintenance mode in Admin.
|
Generally speaking, the configuration should be backed up consistently and regularly to minimize the amount of data loss between backup copies. The lesser the frequency of backup configurations, the more the risk for data loss when recovering from a backup. |
To update automated backup settings:
- Go to System > Backup.
The Edit Automated backup window opens.
- Enter the following information:
Status
Enable or disable automatic backup.
Note: The option is enabled by default.
Backup Type
Select from the following two options:
Time based trigger: FortiPAM sends the backup configuration to the server every Interval minutes.
Change based trigger: FortiPAM checks the configuration every Interval minutes and if the configuration has changed, FortiPAM sends it to the server (default).
Interval
The time interval required in backup, in minutes (default = 60, 60 - 4294967295).
Server Type
Select from the following server types:
FTP server (default)
SFTP server
HTTP server
HTTPS server
To successfully configure an HTTP/HTTPS server to backup with user authentication, ensure that you have filled in the username and password fields. The backup process will not function correctly if you leave either field empty. Alternatively, you can leave both fields empty if you want to avoid user authentication.
Encrypt File
Enable and enter cipher key to encrypt the backup file.
The administrator must enter the same cipher key when restoring the configuration to FortiPAM.
Note: The option is disabled by default.
Server Address
The IP address of the server.
Server Path
The path to store the backup file in the server.
Port
The port of the file server.
Default values:
21 (FTP server) (default)
22 (SFTP server)
80 (HTTP server)
443 (HTTPS server)
When upgrading, the port number is set according to the server type (ftp = 21, sftp = 22, http = 80, and https = 443).
Identifier Name
The variable name that server uses to identify the file.
Note: Only required for HTTP/HTTPS server type.
Server Certificate Check
Enable/disable server identity check. This verifies the server domain name/IP address against the server certificate.
Note: The option is disabled by default.
Note: The option is only available for HTTPS server.
Server CA Certificate
From the dropdown, select a server CA certificate for server certificate check.
Note: The option is only available when Server Certificate Check is enabled.
Username
Username to log in to the server.
Password
Password to log in to the server.
Filename
Filename pattern of the backup configuration.
Valid variables are:
$SN $YYYY $MM $DD $hh $mm $ss $ID.Note: The
$IDvariable is mandatory in the filename pattern
Enter
$to get the list of variables.Limit ID
Enable to limit the value of
$IDin the file name.The option allows administrators to set a maximum number of backup files (default = 1, 1 - 4294967295) to be stored on a backup server using specific filename patterns.
For example, if the backup filename follows the format
PAM-$SN-$ID.conf, where$IDrepresents the backup ID, when$IDreaches the maximum limit, it is reset to 0. The new backup file overwrites the old backup file using the same name.Last backup version
The last backup version (noneditable).
Last updated time
The date and time when automatic backup was last done (noneditable).
- Click Apply.
- Click Test Connectivity to test the connection to the backup server.
Configuring automated backup settings on the CLI
config system backup
set status {enable | disable}
set cipher <passwd>
set type {time-based | change-based}
set server-type {ftp | sftp | http | https}
set server-address <string>
set server-path <path>
set port <integer>
set file-field-name <string>
set server-user <string>
set server-pass <passwd>
set filename-pattern {$SN $YYYY $MM $DD $hh $mm $ss $ID}
set ca-cert <string>
set server-identity-check {enable | disable}
set interval <integer>
set max-id <integer>
set backup-id <integer>
set last-version <integer>
set updated-time <integer>
end
|
Variables |
Description |
|---|---|
|
status {enable | disable} |
Enable/disable automatic backup (default = enable). |
|
cipher <passwd> |
Enter the cipher key. |
|
type {time-based | change-based} |
Set the backup type:
|
|
server-type {ftp | sftp | http | https} |
Set the server type:
|
|
server-address <string> |
Enter the address of file server. |
|
server-path <path> |
Enter the path of file server (default = |
|
port <integer> |
Enter the port number of the file server (default = 21, 1 - 65535). |
|
file-field-name <string> |
Enter the field name for file upload (default = |
|
server-user <string> |
Enter the username of the server account. |
|
server-pass <passwd> |
Enter the password of the server account. |
|
filename-pattern {$SN $YYYY $MM $DD $hh $mm $ss $ID} |
Enter the file name pattern of the backup configuration (default = Note: The |
|
ca-cert <string> |
Enter the CA certificate name. |
|
server-identity-check {enable | disable} |
Enable/disable server identity check (verify server domain name/IP address against the server certificate) (default = disable). |
|
interval<integer> |
Enter an interval for the backup, in minutes (60 - 4294967295, default = 60). |
|
max-id <integer> |
Enter the limit for Note: Use 0 to set no limit. |
|
backup-id <integer> |
The current backup id number. Note: The variable cannot be modified. |
|
last-version <integer> |
The last backup version. Note: The variable cannot be modified. |
|
updated-time <integer> |
The time when the last update was done. Note: The variable cannot be modified. |
Example CLI configuration Example
Backup to SFTP/FTP server
config system backup
set status enable
set server-type sftp
set server-address "10.59.112.254"
set server-path "backup/"
set port 22
set server-user "sftp_user"
set server-pass <sftp_user_password>
set filename-pattern "$SN-$YYYY-$MM-$DD-$hh-$mm-$ss-$ID.conf"
end
Backup to HTTPS/HTTP server
config system backup
set status enable
set server-type https
set server-address "10.59.112.254"
set server-path "/http_user/upload.php"
set port 443
set file-field-name "file"
set server-user "http_user"
set server-pass QA@fortinet
set filename-pattern "$SN-$ID.conf"
set ca-cert "ACCVRAIZ1"
set server-identity-check enable
end
If user authentication is not required for HTTP and HTTPS servers, server-user and server-pass variables are not required.
Following is an example of php file to accept the submitted backup file.
fwd-svr@fwdsvr-virtual-machine:/var/www/html/http_user$ cat upload.php
<?php
$name = $_FILES['file']['name'];
$temp = $_FILES['file']['tmp_name'];
if(move_uploaded_file($temp,"backup/".$name)){
echo "Your file was uploaded";
}
else
{
echo "Your file couldn't upload";
}
?>