Fortinet white logo
Fortinet white logo

Administration Guide

Configuration backups and reset

Configuration backups and reset

You can use the GUI or CLI to back up the configuration in FortiProxy or YAML format. You have the option to save the configuration file in FortiProxy format to various locations including the local PC, USB key, FTP, and TFTP server. FTP and TFTP are only configurable through the CLI. In YAML format, configuration files can be backed up or restored on an FTP or TFTP server through the CLI.

This topic includes the following information:

Backing up and restoring configurations from the GUI

Configurations can be backed up using the GUI to your PC or a USB disk.

Field

Description

Scope

When the FortiProxy is in multi-vdom mode and a user is logged in as a global administrator.

Backup to

You can choose where to save the configuration backup file.

  • Local PC: Save the configuration file to your PC.

  • USB Disk: Save the configuration file to an external USB disk. This option is not available if there is no USB drive inserted in the USB port.

You can also back up to FortiManager using the CLI.

File format The configuration file can be saved in FortiProxy or YAML format.
Password mask

Use password masking when sending a configuration file to a third party, such as Fortinet Inc. Support. When password masking is enabled, passwords and secrets will be replaced in the configuration file with FortinetPasswordMask to avoid information being unintentionally leaked.

Encryption

Enable Encryption to encrypt the configuration file. A configuration file cannot be restored on the FortiProxy without a set password. Encryption must be enabled on the backup file to back up VPN certificates.

Encryption is performed using AES-GCM algorithm.

To mask passwords in the GUI:
  1. Click on the username in the upper right-hand corner of the screen and select Configuration > Backup.

  2. Select YAML as the File format.

  3. Enable Password mask. A warning message is displayed.

  4. Click OK. The configuration file is saved to your computer with passwords and secrets obfuscated.

The following is an example of output with password masking enabled:

config system admin   
    edit "1"
        set accprofile "prof_admin"
        set vdom "root"
        set password FortinetPasswordMask
    next
end
config vpn ipsec phase1-interface
    edit "vpn-1"
        set interface "port1"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set comments "VPN: vpn-1 (Created by VPN wizard)"
        set wizard-type static-fortiproxy
        set remote-gw 172.16.200.55
        set psksecret FortinetPasswordMask
    next
end
config wireless-controller vap
    edit "ssid-1"
        set passphrase FortinetPasswordMask
        set schedule "always"
    next
end

Restoring configuration files from the GUI

Configuration files can be used to restore the FortiProxy to a previous configuration in the Restore System Configuration page.

To restore the FortiProxy configuration using the GUI:
  1. Click on the user name in the upper right-hand corner of the screen and select Configuration > Restore.
  2. Identify the source of the configuration file to be restored: your Local PC or a USB Disk.

    The USB Disk option will not be available if no USB drive is inserted in the USB port. You can restore from the FortiManager using the CLI.

  3. Click Upload, locate the configuration file, and click Open.
  4. Enter the password if required.
  5. Click OK.

When restoring a configuration file that has password masking enabled, obfuscated passwords and secrets will be restored with the password mask.

Note

Restoring the FortiProxy with a configuration with passwords obfuscated is not recommended.

To restore an obfuscated YAML configuration using the GUI:
  1. Click on the user name in the upper right-hand corner of the screen and select Configuration > Restore.

  2. Click Upload. The File Explorer is displayed.

  3. Navigate to the configuration file and click Open.

  4. (Optional) Enter the file password in the Password field.

  5. Click OK. The Confirm pane is displayed with a warning.

  6. Toggle the acknowledgment.

  7. Click OK.

Backing up and restoring configurations from the CLI

Configuration backups in the CLI are performed using the execute backup commands and can be backed up in FortiProxy and YAML format.

Configuration files can be backed up to various locations depending on the command:

  • flash: Backup the configuration file to the flash drive.
  • ftp: Backup the configuration file to an FTP server.

  • management-station: Backup the configuration file to a management station, such as FortiManager or FortiGate Cloud.

  • sftp: Backup the configuration file to a SFTP server.

  • tftp: Backup the configuration file to a TFTP server.

  • usb: Backup the configuration file to an external USB drive.

  • usb-mode: Backup the configuration file for USB mode.

Command

Description

# execute backup config

Back up the configuration in FortiProxy format.

Backup your configuration file to:

  • flash

  • ftp

  • management-station

  • sftp

  • tftp

  • usb

  • usb-mode

# execute backup full-config

Backup the configuration, including backups of default configuration settings.

Backup your configuration file to:

  • ftp

  • sftp

  • tftp

  • usb

  • usb-mode

# execute backup yaml-config

Backup the configuration in YAML format.

Backup your configuration file to:

  • ftp

  • tftp

# execute backup obfuscated-config

Backup the configuration with passwords and secrets obfuscated.

Backup your configuration file to:

  • ftp

  • management-station

  • sftp

  • tftp

  • usb

# execute backup obfuscated-full-config

Backup the configuration (including default configuration settings) with passwords and secrets obfuscated.

Backup your configuration file to:

  • ftp

  • sftp

  • tftp

  • usb

# execute backup obfuscated-yaml-config

Backup the configuration in YAML format with passwords and secrets obfuscated.

Backup your configuration file to:

  • ftp

  • tftp

To back up the configuration in FortiProxy format using the CLI:

For FTP, note that port number, username are optional depending on the FTP site:

# execute backup config ftp <backup_filename> <ftp_server>[<:ftp_port>] [<user_name>] [<password>] [<backup_password>]

or for TFTP:

# execute backup config tftp <backup_filename> <tftp_servers> [<backup_password>]

or for SFTP:

# execute backup config sftp <backup_filename> <sftp_server>[<:sftp_port>] <user> <password> [<backup_password>]

or:

# execute backup config management-station <comment>

or:

# execute backup config usb <backup_filename> [<backup_password>]

Use the same commands to backup a VDOM configuration by first entering the commands:

config vdom
    edit <vdom_name>

See Backing up and restoring configurations in multi VDOM mode for more information.

When backing up a configuration in YAML format, if it is not already specified in the file name, .yaml will be appended to the end. For example, if the file name entered is 301E.conf, the name will become 301E.conf.yaml after the configuration is backed up.

To back up the configuration in YAML format using the CLI:
# execute backup yaml-config {ftp | tftp} <filename> <server> [username] [password]

For example:

# execute backup yaml-config  tftp  301E.conf 172.16.200.55
    Please wait...
    The suffix '.yaml' will be appended to the filename if user does not add it specifically.
    Connect to tftp server 172.16.200.55 ...
    #
    Send config file to tftp server OK.

Configuration files can be configured with obfuscated passwords and secrets to not unintentionally leak information when sharing configuration files with third parties.

To mask passwords in a configuration backup in the CLI:
# execute backup obfuscated-config {ftp | management-station | sftp | tftp | usb}
To mask passwords in the full configuration backup in the CLI:
# execute backup obfuscated-full-config {ftp | sftp | tftp | usb}
To mask passwords in a configuration backup with YAML formatting in the CLI:
# execute backup obfuscated-yaml-config {ftp | tftp}
Note

If a configuration is being backed up on a server, server information must be included with the command. Other information that may be required with an execute backup command includes file names, passwords, and comments.

Restoring configuration files from the CLI

Configuration files can be used to restore the FortiProxy using the CLI.

Command

Description

# execute restore config

Restore a configuration that is in FortiProxy or YAML format. The file format is automatically detected when it is being restored.

Configurations can be loaded from:

  • flash: Load the configuration file from flash to firewall.
  • ftp: Load the configuration file from an FTP server.

  • management-station: Load the configuration from a management station.

  • tftp: Load the configuration from from a TFTP server.

  • usb: Load the configuration file from an external USB disk to firewall.

  • usb-mode: Load the configuration file from an external USB disk and reboot.

To restore the FortiProxy configuration using the CLI:

For FTP, note that port number, username are optional depending on the FTP site:

# execute restore config ftp <backup_filename> <ftp_server>[<:port>] [<user_name>] [<password>] [<backup_password>]

or for TFTP:

# execute restore config tftp <backup_filename> <tftp_server> [<backup_password>]

For restoring the configuration from FortiManager or FortiGate Cloud:

# execute restore config management-station normal <revision ID>

or:

# execute restore config usb <backup_filename> [<backup_password>]

The FortiProxy will load the configuration file and restart. Once the restart has completed, verify that the configuration has been restored.

Troubleshooting

When restoring a configuration, errors may occur, but the solutions are usually straightforward.

Error message

Reason and Solution

Configuration file error

This error occurs when attempting to upload a configuration file that is incompatible with the device. This may be due to the configuration file being for a different model or being saved from a different version of firmware.

Solution: Upload a configuration file that is for the correct model of FortiProxy device and the correct version of the firmware.

Invalid password

When the configuration file is saved, it can be protected by a password. The password entered during the upload process is not matching the one associated with the configuration file.

Solution: Use the correct password if the file is password protected.

Configuration revision

You can manage multiple versions of configuration files on models that have a 512MB flash memory and higher. Revision control requires either a configured central management server or the local hard drive, if your FortiProxy has this feature. Typically, configuration backup to local drive is not available on lower-end models.

Central management server

The central management server can either be a FortiManager unit or FortiGate Cloud.

If central management is not configured on your FortiProxy, a message appears instructing you to either enable central management, or obtain a valid license.

To enable central management from the GUI:
  1. Go to Security Fabric > Fabric Connectors and double-click the Central Management card.

  2. Set the Status to Enabled and select a Type.

  3. Click OK.

To enable central management from the CLI:
config system central-management
    set type {fortimanager | fortiguard}
    set mode backup
    set fmg <IP address>
end
To backup to the management server:
# execute backup config management-station <comment>
To view a backed up revision:
# execute restore config management-station normal 0
To restore a backed up revision:
# execute restore config management-station normal <revision ID>

Backing up to a local disk

When revision control is enabled on your FortiProxy unit, and configuration backups have been made, a list of saved revisions of those backed-up configurations appears.

Configuration backup occurs by default with firmware upgrades but can also be configured to occur every time you log out.

To configure configuration backup when logging out:
config system global
  set revision-backup-on-logout enable
end
To manually force backup:
# execute backup config flash <comment>

Configuration revisions are viewed by clicking on the user name in the upper right-hand corner of the screen and selecting Configuration > Revisions.

To view a list of revisions backed up to the disk from the CLI:
# execute revision list config
To restore a configuration from the CLI:
# execute restore config flash <revision ID>

Restore factory defaults

There may be a need to reset the FortiProxy to its original defaults; for example, to begin with a fresh configuration. There are two options when restoring factory defaults:

# execute factoryreset

Reset the device to factory default configuration.

The firmware version and antivirus and IPS attack definitions are not changed.

# execute factoryreset2

Reset to factory default configuration without losing management access to the FortiProxy.

Interface and VDOM configurations, as well as the firmware version and antivirus and IPS attack definitions, are not changed.

Secure file copy

You can also back up and restore your configuration using Secure File Copy (SCP). See How to download a FortiGate configuration file and upload firmware file using secure file copy (SCP).

You enable SCP support using the following command:

config system global
    set admin-scp enable
end

For more information about this command and about SCP support, see config system global.

Configuration backups and reset

Configuration backups and reset

You can use the GUI or CLI to back up the configuration in FortiProxy or YAML format. You have the option to save the configuration file in FortiProxy format to various locations including the local PC, USB key, FTP, and TFTP server. FTP and TFTP are only configurable through the CLI. In YAML format, configuration files can be backed up or restored on an FTP or TFTP server through the CLI.

This topic includes the following information:

Backing up and restoring configurations from the GUI

Configurations can be backed up using the GUI to your PC or a USB disk.

Field

Description

Scope

When the FortiProxy is in multi-vdom mode and a user is logged in as a global administrator.

Backup to

You can choose where to save the configuration backup file.

  • Local PC: Save the configuration file to your PC.

  • USB Disk: Save the configuration file to an external USB disk. This option is not available if there is no USB drive inserted in the USB port.

You can also back up to FortiManager using the CLI.

File format The configuration file can be saved in FortiProxy or YAML format.
Password mask

Use password masking when sending a configuration file to a third party, such as Fortinet Inc. Support. When password masking is enabled, passwords and secrets will be replaced in the configuration file with FortinetPasswordMask to avoid information being unintentionally leaked.

Encryption

Enable Encryption to encrypt the configuration file. A configuration file cannot be restored on the FortiProxy without a set password. Encryption must be enabled on the backup file to back up VPN certificates.

Encryption is performed using AES-GCM algorithm.

To mask passwords in the GUI:
  1. Click on the username in the upper right-hand corner of the screen and select Configuration > Backup.

  2. Select YAML as the File format.

  3. Enable Password mask. A warning message is displayed.

  4. Click OK. The configuration file is saved to your computer with passwords and secrets obfuscated.

The following is an example of output with password masking enabled:

config system admin   
    edit "1"
        set accprofile "prof_admin"
        set vdom "root"
        set password FortinetPasswordMask
    next
end
config vpn ipsec phase1-interface
    edit "vpn-1"
        set interface "port1"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set comments "VPN: vpn-1 (Created by VPN wizard)"
        set wizard-type static-fortiproxy
        set remote-gw 172.16.200.55
        set psksecret FortinetPasswordMask
    next
end
config wireless-controller vap
    edit "ssid-1"
        set passphrase FortinetPasswordMask
        set schedule "always"
    next
end

Restoring configuration files from the GUI

Configuration files can be used to restore the FortiProxy to a previous configuration in the Restore System Configuration page.

To restore the FortiProxy configuration using the GUI:
  1. Click on the user name in the upper right-hand corner of the screen and select Configuration > Restore.
  2. Identify the source of the configuration file to be restored: your Local PC or a USB Disk.

    The USB Disk option will not be available if no USB drive is inserted in the USB port. You can restore from the FortiManager using the CLI.

  3. Click Upload, locate the configuration file, and click Open.
  4. Enter the password if required.
  5. Click OK.

When restoring a configuration file that has password masking enabled, obfuscated passwords and secrets will be restored with the password mask.

Note

Restoring the FortiProxy with a configuration with passwords obfuscated is not recommended.

To restore an obfuscated YAML configuration using the GUI:
  1. Click on the user name in the upper right-hand corner of the screen and select Configuration > Restore.

  2. Click Upload. The File Explorer is displayed.

  3. Navigate to the configuration file and click Open.

  4. (Optional) Enter the file password in the Password field.

  5. Click OK. The Confirm pane is displayed with a warning.

  6. Toggle the acknowledgment.

  7. Click OK.

Backing up and restoring configurations from the CLI

Configuration backups in the CLI are performed using the execute backup commands and can be backed up in FortiProxy and YAML format.

Configuration files can be backed up to various locations depending on the command:

  • flash: Backup the configuration file to the flash drive.
  • ftp: Backup the configuration file to an FTP server.

  • management-station: Backup the configuration file to a management station, such as FortiManager or FortiGate Cloud.

  • sftp: Backup the configuration file to a SFTP server.

  • tftp: Backup the configuration file to a TFTP server.

  • usb: Backup the configuration file to an external USB drive.

  • usb-mode: Backup the configuration file for USB mode.

Command

Description

# execute backup config

Back up the configuration in FortiProxy format.

Backup your configuration file to:

  • flash

  • ftp

  • management-station

  • sftp

  • tftp

  • usb

  • usb-mode

# execute backup full-config

Backup the configuration, including backups of default configuration settings.

Backup your configuration file to:

  • ftp

  • sftp

  • tftp

  • usb

  • usb-mode

# execute backup yaml-config

Backup the configuration in YAML format.

Backup your configuration file to:

  • ftp

  • tftp

# execute backup obfuscated-config

Backup the configuration with passwords and secrets obfuscated.

Backup your configuration file to:

  • ftp

  • management-station

  • sftp

  • tftp

  • usb

# execute backup obfuscated-full-config

Backup the configuration (including default configuration settings) with passwords and secrets obfuscated.

Backup your configuration file to:

  • ftp

  • sftp

  • tftp

  • usb

# execute backup obfuscated-yaml-config

Backup the configuration in YAML format with passwords and secrets obfuscated.

Backup your configuration file to:

  • ftp

  • tftp

To back up the configuration in FortiProxy format using the CLI:

For FTP, note that port number, username are optional depending on the FTP site:

# execute backup config ftp <backup_filename> <ftp_server>[<:ftp_port>] [<user_name>] [<password>] [<backup_password>]

or for TFTP:

# execute backup config tftp <backup_filename> <tftp_servers> [<backup_password>]

or for SFTP:

# execute backup config sftp <backup_filename> <sftp_server>[<:sftp_port>] <user> <password> [<backup_password>]

or:

# execute backup config management-station <comment>

or:

# execute backup config usb <backup_filename> [<backup_password>]

Use the same commands to backup a VDOM configuration by first entering the commands:

config vdom
    edit <vdom_name>

See Backing up and restoring configurations in multi VDOM mode for more information.

When backing up a configuration in YAML format, if it is not already specified in the file name, .yaml will be appended to the end. For example, if the file name entered is 301E.conf, the name will become 301E.conf.yaml after the configuration is backed up.

To back up the configuration in YAML format using the CLI:
# execute backup yaml-config {ftp | tftp} <filename> <server> [username] [password]

For example:

# execute backup yaml-config  tftp  301E.conf 172.16.200.55
    Please wait...
    The suffix '.yaml' will be appended to the filename if user does not add it specifically.
    Connect to tftp server 172.16.200.55 ...
    #
    Send config file to tftp server OK.

Configuration files can be configured with obfuscated passwords and secrets to not unintentionally leak information when sharing configuration files with third parties.

To mask passwords in a configuration backup in the CLI:
# execute backup obfuscated-config {ftp | management-station | sftp | tftp | usb}
To mask passwords in the full configuration backup in the CLI:
# execute backup obfuscated-full-config {ftp | sftp | tftp | usb}
To mask passwords in a configuration backup with YAML formatting in the CLI:
# execute backup obfuscated-yaml-config {ftp | tftp}
Note

If a configuration is being backed up on a server, server information must be included with the command. Other information that may be required with an execute backup command includes file names, passwords, and comments.

Restoring configuration files from the CLI

Configuration files can be used to restore the FortiProxy using the CLI.

Command

Description

# execute restore config

Restore a configuration that is in FortiProxy or YAML format. The file format is automatically detected when it is being restored.

Configurations can be loaded from:

  • flash: Load the configuration file from flash to firewall.
  • ftp: Load the configuration file from an FTP server.

  • management-station: Load the configuration from a management station.

  • tftp: Load the configuration from from a TFTP server.

  • usb: Load the configuration file from an external USB disk to firewall.

  • usb-mode: Load the configuration file from an external USB disk and reboot.

To restore the FortiProxy configuration using the CLI:

For FTP, note that port number, username are optional depending on the FTP site:

# execute restore config ftp <backup_filename> <ftp_server>[<:port>] [<user_name>] [<password>] [<backup_password>]

or for TFTP:

# execute restore config tftp <backup_filename> <tftp_server> [<backup_password>]

For restoring the configuration from FortiManager or FortiGate Cloud:

# execute restore config management-station normal <revision ID>

or:

# execute restore config usb <backup_filename> [<backup_password>]

The FortiProxy will load the configuration file and restart. Once the restart has completed, verify that the configuration has been restored.

Troubleshooting

When restoring a configuration, errors may occur, but the solutions are usually straightforward.

Error message

Reason and Solution

Configuration file error

This error occurs when attempting to upload a configuration file that is incompatible with the device. This may be due to the configuration file being for a different model or being saved from a different version of firmware.

Solution: Upload a configuration file that is for the correct model of FortiProxy device and the correct version of the firmware.

Invalid password

When the configuration file is saved, it can be protected by a password. The password entered during the upload process is not matching the one associated with the configuration file.

Solution: Use the correct password if the file is password protected.

Configuration revision

You can manage multiple versions of configuration files on models that have a 512MB flash memory and higher. Revision control requires either a configured central management server or the local hard drive, if your FortiProxy has this feature. Typically, configuration backup to local drive is not available on lower-end models.

Central management server

The central management server can either be a FortiManager unit or FortiGate Cloud.

If central management is not configured on your FortiProxy, a message appears instructing you to either enable central management, or obtain a valid license.

To enable central management from the GUI:
  1. Go to Security Fabric > Fabric Connectors and double-click the Central Management card.

  2. Set the Status to Enabled and select a Type.

  3. Click OK.

To enable central management from the CLI:
config system central-management
    set type {fortimanager | fortiguard}
    set mode backup
    set fmg <IP address>
end
To backup to the management server:
# execute backup config management-station <comment>
To view a backed up revision:
# execute restore config management-station normal 0
To restore a backed up revision:
# execute restore config management-station normal <revision ID>

Backing up to a local disk

When revision control is enabled on your FortiProxy unit, and configuration backups have been made, a list of saved revisions of those backed-up configurations appears.

Configuration backup occurs by default with firmware upgrades but can also be configured to occur every time you log out.

To configure configuration backup when logging out:
config system global
  set revision-backup-on-logout enable
end
To manually force backup:
# execute backup config flash <comment>

Configuration revisions are viewed by clicking on the user name in the upper right-hand corner of the screen and selecting Configuration > Revisions.

To view a list of revisions backed up to the disk from the CLI:
# execute revision list config
To restore a configuration from the CLI:
# execute restore config flash <revision ID>

Restore factory defaults

There may be a need to reset the FortiProxy to its original defaults; for example, to begin with a fresh configuration. There are two options when restoring factory defaults:

# execute factoryreset

Reset the device to factory default configuration.

The firmware version and antivirus and IPS attack definitions are not changed.

# execute factoryreset2

Reset to factory default configuration without losing management access to the FortiProxy.

Interface and VDOM configurations, as well as the firmware version and antivirus and IPS attack definitions, are not changed.

Secure file copy

You can also back up and restore your configuration using Secure File Copy (SCP). See How to download a FortiGate configuration file and upload firmware file using secure file copy (SCP).

You enable SCP support using the following command:

config system global
    set admin-scp enable
end

For more information about this command and about SCP support, see config system global.