Appendix C - Automatic backup to an FTP or TFTP server
You can schedule automatic FortiProxy backups to an FTP or TFTP server.
Manual backups to a remote FTP or TFTP using IPv4
To manually back up the full FortiProxy configuration to a remote FTP server:
execute backup full-config ftp <configuration_file_name> <FTP_server_IPv4_address> <user_name> <password>
To manually back up the full FortiProxy configuration to a remote TFTP server:
execute backup full-config tftp <configuration_file_name> <TFTP_server_IPv4_address> <password>
Specifying a password is optional for backing up to a TFTP server.
Manual backups to a remote FTP or TFTP using IPv6
IPv6 addresses are supported in the execute backup
and execute restore
commands to TFTP and FTP servers.
To back up a configuration file to an IPv6 TFTP server:
# execute backup config tftp fpx.conf 2000:172:16:200::55
To restore a configuration file from an IPv6 TFTP server:
# execute restore config tftp fpx.conf 2000:172:16:200::55
To back up a configuration file to an IPv6 FTP server:
# execute backup config ftp fpx.conf 2000:172:16:200::55 root xxxxxxxxxx
To restore a configuration file from an IPv6 FTP server:
# execute restore config ftp fpx.conf 2000:172:16:200::55 root xxxxxxxxxx
Scheduled automatic backups with an auto script
Use an auto script to schedule a FortiProxy backup and to define how many times to repeat the backup. The auto script overrides the existing configuration file with the same name. Auto script does not support keeping all of the hourly configuration files. When using the %%PASSWD%%
variable in the script, the variable is replaced by the password
setting and encrypted.
The following example shows how to automate the hourly backup of the FortiProxy configuration to an FTP server.
FTP server: 10.1.5.241
FTP user: ftp_user
FTP user password: ftppassword
Name of the configuration file: FPX1_autoScript.conf
config system auto-script edit "hourly_config_backup" set interval 3600 set repeat 0 set start auto set script "execute backup full-config ftp FPX1_autoScript.conf 10.1.5.241 ftp_user %%PASSWD%%" set password ftppassword next end
If the FTP auto script was executed successfully, the following is the result:
FPX1 $ execute auto-script status ========== #1, 2019-07-29 09:00:01 ========== FPX1 $ execute backup full-config ftp FPX1_autoScript.conf 10.1.5.241 ftp_user ftppassword Connect to ftp server 10.1.5.241 ... Please wait... Send config file to ftp server OK. ========== #2, 2019-07-29 10:00:01 ========== FPX1 $ execute backup full-config ftp FPX1_autoScript.conf 10.1.5.241 ftp_user ftppassword Connect to ftp server 10.1.5.241 ... Please wait... Send config file to ftp server OK.
The following example shows to automate the hourly backup of the FortiProxy configuration to a TFTP server:
config system auto-script edit "hourly_config_backup" set interval 3600 set repeat 0 set start auto set script "execute backup full-config tftp FPX1_autoScript.conf 10.1.5.241" next end
The following is the full syntax of the auto-script CLI commands:
config system auto-script edit <name> set name <string> set interval <integer> set repeat <integer> set start {manual | auto} set script <string> set password <string> set output-size <integer> set timeout <integer> next end
name <string> |
Auto script name. The size is 35 characters. |
interval <integer> |
Repeat interval, in seconds (0 - 31557600, default = 0). |
repeat <integer> |
Number of times to repeat this script (0 - 65535, 0 = infinite, default = 1). |
start {manual | auto} |
Script starting mode.
|
script <string> |
List of FortiProxy CLI commands to repeat. The maximum size is 1023 characters. |
password <string> |
Script password to replace %%PASSWD%% tag in the script. Use cases include replacing a password tag for SFTP/FTP server password. |
output-size <integer> |
Number of megabytes to limit script output to (10 - 1024, default = 10). |
timeout <integer> |
Maximum running time for this script, in seconds (0 - 300, 0 = no timeout, default = 0). |
Manual backups with SCP
You can use the secure copy protocol (SCP) to perform manual backups of the FortiProxy configuration.
-
To enable SCP, run the following commands:
config system global set admin-scp enable end
-
Enable the SSH administrative access on the interface handling the SCP services.
-
Use any Linux client to download the FortiProxy configuration file using the following command:
$ scp admin@<FortiProxy_IP>:sys_config <location>
The following example is run using Lubuntu 19.04. This backup runs one time from the Linux client.
$ scp admin@10.1.5.252:sys_config ~/config/"FPX.autobackup.$(date +%Y%m%d_%H%M%S).conf"
The example downloads the configuration file and saves it to the ~/config
folder with a file name of FPX.autobackup.$(date +%Y%m%d_%H%M%S).conf
.
Using $(date +%Y%m%d_%H%M%S)
ensures that each configuration file has a unique file name, for example, FPX.autobackup.20190729_110001.conf
.
Scheduled automatic backups with SCP
To perform an hourly automatic backup, you need to run the SCP command as a cron job.
For example, you can use a bash script to run hourly backups with all the configuration files saved in the ~/config
folder.
NOTE: Remember to change the IP address to your own FortiProxy IP address before adding the following command to a cron job. If the ~/config
folder does not already exist, you need to create it before running the cron job.
#!bin/bash
# This command will pull a copy of the FortiProxy (10.1.5.252) using SCP on port 10104
# and save the config to the ~/config folder with the file-naming convention of
# FPX.autobackup.$(date +%Y%m%d_%H%M%S).conf
scp -P 10104 admin@10.1.5.252:sys_config ~/config/"FPX.autobackup.$(date +%Y%m%d_%H%M%S).conf"
Save the bash script file to ~/auto_backup/hourly_backup.sh
.
Add execution permission to the bash script file:
$ sudo chmod +x ~/auto_backup/hourly_backup.sh
Run the ls -l
command on the Linux client:
lubuntu@lubuntu-pc:~/auto_backup$ ls -l total 4 -rwxr-xr-x 1 lubuntu lubuntu 106 Jul 29 14:41 hourly_backup.sh lubuntu@lubuntu-pc:~/auto_backup$
To add the bash script to the cron table file, use the following command:
$ sudo crontab -e # Edit this file to introduce tasks to be run by cron. # # Each task to run has to be defined through a single line # indicating with different fields when the task will be run # and what command to run for the task. # # To define the time, you can provide concrete values for # minute (m), hour (h), day of month (dom), month (mon), # and day of week (dow) or use '*' in these fields (for 'any').# # Notice that tasks will be started based on the cron's system # daemon's notion of time and time zones. # # Output of the cron table jobs (including errors) is sent through # email to the user the cron tab file belongs to (unless redirected). # # For example, you can run a backup of all your user accounts # at 5 a.m. every week with: # 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/ # # For more information, see the manual pages of crontab(5) and cron(8) # # m h dom mon dow command @hourly ~/auto_backup/hourly_backup.sh <==== Add this to the file and save it.
You can change the @hourly
to @monthly
or @weekly
or @daily
.
To verify that the backups were run correctly, look at the contents of the ~/config
folder:
lubuntu@lubuntu-pc:~/config$ ls -l total 784 -rw------- 1 lubuntu lubuntu 197872 Jul 29 11:00 FPX.autobackup.20190729_110001.conf -rw------- 1 lubuntu lubuntu 197872 Jul 29 12:00 FPX.autobackup.20190729_120001.conf -rw------- 1 lubuntu lubuntu 197872 Jul 29 13:00 FPX.autobackup.20190729_130001.conf -rw------- 1 lubuntu lubuntu 197872 Jul 29 14:00 FPX.autobackup.20190729_140001.conf lubuntu@lubuntu-pc:~/config$