Fortinet white logo
Fortinet white logo

Administration Guide

Automatic backup to an FTP or TFTP server

Appendix C - Automatic backup to an FTP or TFTP server

You can schedule automatic FortiProxy backups to an FTP or TFTP server.

Manual backups to a remote FTP or TFTP using IPv4

To manually back up the full FortiProxy configuration to a remote FTP server:
execute backup full-config ftp <configuration_file_name> <FTP_server_IPv4_address> <user_name> <password>
To manually back up the full FortiProxy configuration to a remote TFTP server:
execute backup full-config tftp <configuration_file_name> <TFTP_server_IPv4_address> <password>

Specifying a password is optional for backing up to a TFTP server.

Manual backups to a remote FTP or TFTP using IPv6

IPv6 addresses are supported in the execute backup and execute restore commands to TFTP and FTP servers.

To back up a configuration file to an IPv6 TFTP server:
# execute backup config tftp fpx.conf 2000:172:16:200::55
To restore a configuration file from an IPv6 TFTP server:
# execute restore config tftp fpx.conf 2000:172:16:200::55
To back up a configuration file to an IPv6 FTP server:
# execute backup config ftp fpx.conf 2000:172:16:200::55 root xxxxxxxxxx
To restore a configuration file from an IPv6 FTP server:
# execute restore config ftp fpx.conf 2000:172:16:200::55 root xxxxxxxxxx

Scheduled automatic backups with an auto script

Use an auto script to schedule a FortiProxy backup and to define how many times to repeat the backup. The auto script overrides the existing configuration file with the same name. Auto script does not support keeping all of the hourly configuration files. When using the %%PASSWD%% variable in the script, the variable is replaced by the password setting and encrypted.

The following example shows how to automate the hourly backup of the FortiProxy configuration to an FTP server.

FTP server: 10.1.5.241

FTP user: ftp_user

FTP user password: ftppassword

Name of the configuration file: FPX1_autoScript.conf

config system auto-script
    edit "hourly_config_backup"
        set interval 3600
        set repeat 0
        set start auto
        set script "execute backup full-config ftp FPX1_autoScript.conf 10.1.5.241 ftp_user %%PASSWD%%"
        set password ftppassword
    next
end

If the FTP auto script was executed successfully, the following is the result:

FPX1 $  execute auto-script status
========== #1, 2019-07-29 09:00:01 ==========
FPX1 $  execute backup full-config ftp FPX1_autoScript.conf 10.1.5.241 ftp_user ftppassword
 
Connect to ftp server 10.1.5.241 ...
Please wait...
Send config file to ftp server OK.
 
========== #2, 2019-07-29 10:00:01 ==========
FPX1 $  execute backup full-config ftp FPX1_autoScript.conf 10.1.5.241 ftp_user ftppassword
 
Connect to ftp server 10.1.5.241 ...
Please wait...
Send config file to ftp server OK.

The following example shows to automate the hourly backup of the FortiProxy configuration to a TFTP server:

config system auto-script
    edit "hourly_config_backup"
        set interval 3600
        set repeat 0
        set start auto
        set script "execute backup full-config tftp FPX1_autoScript.conf 10.1.5.241"
    next
end

The following is the full syntax of the auto-script CLI commands:

config system auto-script
    edit <name>
        set name <string>
        set interval <integer>
        set repeat <integer>
        set start {manual | auto}
        set script <string>
        set password <string>
        set output-size <integer>
        set timeout <integer>
    next
end

name <string>

Auto script name. The size is 35 characters.

interval <integer>

Repeat interval, in seconds (0 - 31557600, default = 0).

repeat <integer>

Number of times to repeat this script (0 - 65535, 0 = infinite, default = 1).

start {manual | auto}

Script starting mode.

  • manual: Starting manually (default).

  • auto: Starting automatically.

script <string>

List of FortiProxy CLI commands to repeat. The maximum size is 1023 characters.

password <string>

Script password to replace %%PASSWD%% tag in the script. Use cases include replacing a password tag for SFTP/FTP server password.

output-size <integer>

Number of megabytes to limit script output to (10 - 1024, default = 10).

timeout <integer>

Maximum running time for this script, in seconds (0 - 300, 0 = no timeout, default = 0).

Manual backups with SCP

You can use the secure copy protocol (SCP) to perform manual backups of the FortiProxy configuration.

  1. To enable SCP, run the following commands:

    config system global
        set admin-scp enable
    end
  2. Enable the SSH administrative access on the interface handling the SCP services.

  3. Use any Linux client to download the FortiProxy configuration file using the following command:

    $ scp admin@<FortiProxy_IP>:sys_config <location>

The following example is run using Lubuntu 19.04. This backup runs one time from the Linux client.

$ scp admin@10.1.5.252:sys_config ~/config/"FPX.autobackup.$(date +%Y%m%d_%H%M%S).conf"

The example downloads the configuration file and saves it to the ~/config folder with a file name of FPX.autobackup.$(date +%Y%m%d_%H%M%S).conf.

Using $(date +%Y%m%d_%H%M%S) ensures that each configuration file has a unique file name, for example, FPX.autobackup.20190729_110001.conf.

Scheduled automatic backups with SCP

To perform an hourly automatic backup, you need to run the SCP command as a cron job.

For example, you can use a bash script to run hourly backups with all the configuration files saved in the ~/config folder.

NOTE: Remember to change the IP address to your own FortiProxy IP address before adding the following command to a cron job. If the ~/config folder does not already exist, you need to create it before running the cron job.

#!bin/bash

# This command will pull a copy of the FortiProxy (10.1.5.252) using SCP on port 10104

# and save the config to the ~/config folder with the file-naming convention of

# FPX.autobackup.$(date +%Y%m%d_%H%M%S).conf

scp -P 10104 admin@10.1.5.252:sys_config ~/config/"FPX.autobackup.$(date +%Y%m%d_%H%M%S).conf"

Save the bash script file to ~/auto_backup/hourly_backup.sh.

Add execution permission to the bash script file:

$ sudo chmod +x ~/auto_backup/hourly_backup.sh

Run the ls -l command on the Linux client:

lubuntu@lubuntu-pc:~/auto_backup$ ls -l
total 4
-rwxr-xr-x 1 lubuntu lubuntu 106 Jul 29 14:41 hourly_backup.sh
lubuntu@lubuntu-pc:~/auto_backup$

To add the bash script to the cron table file, use the following command:

$ sudo crontab -e
 
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task.
#
# To define the time, you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and time zones.
#
# Output of the cron table jobs (including errors) is sent through
# email to the user the cron tab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m. every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information, see the manual pages of crontab(5) and cron(8)
#
# m h  dom mon dow   command
@hourly ~/auto_backup/hourly_backup.sh <==== Add this to the file and save it.

You can change the @hourly to @monthly or @weekly or @daily.

To verify that the backups were run correctly, look at the contents of the ~/config folder:

lubuntu@lubuntu-pc:~/config$ ls -l
total 784
-rw------- 1 lubuntu lubuntu 197872 Jul 29 11:00 FPX.autobackup.20190729_110001.conf
-rw------- 1 lubuntu lubuntu 197872 Jul 29 12:00 FPX.autobackup.20190729_120001.conf
-rw------- 1 lubuntu lubuntu 197872 Jul 29 13:00 FPX.autobackup.20190729_130001.conf
-rw------- 1 lubuntu lubuntu 197872 Jul 29 14:00 FPX.autobackup.20190729_140001.conf
lubuntu@lubuntu-pc:~/config$

Automatic backup to an FTP or TFTP server

Appendix C - Automatic backup to an FTP or TFTP server

You can schedule automatic FortiProxy backups to an FTP or TFTP server.

Manual backups to a remote FTP or TFTP using IPv4

To manually back up the full FortiProxy configuration to a remote FTP server:
execute backup full-config ftp <configuration_file_name> <FTP_server_IPv4_address> <user_name> <password>
To manually back up the full FortiProxy configuration to a remote TFTP server:
execute backup full-config tftp <configuration_file_name> <TFTP_server_IPv4_address> <password>

Specifying a password is optional for backing up to a TFTP server.

Manual backups to a remote FTP or TFTP using IPv6

IPv6 addresses are supported in the execute backup and execute restore commands to TFTP and FTP servers.

To back up a configuration file to an IPv6 TFTP server:
# execute backup config tftp fpx.conf 2000:172:16:200::55
To restore a configuration file from an IPv6 TFTP server:
# execute restore config tftp fpx.conf 2000:172:16:200::55
To back up a configuration file to an IPv6 FTP server:
# execute backup config ftp fpx.conf 2000:172:16:200::55 root xxxxxxxxxx
To restore a configuration file from an IPv6 FTP server:
# execute restore config ftp fpx.conf 2000:172:16:200::55 root xxxxxxxxxx

Scheduled automatic backups with an auto script

Use an auto script to schedule a FortiProxy backup and to define how many times to repeat the backup. The auto script overrides the existing configuration file with the same name. Auto script does not support keeping all of the hourly configuration files. When using the %%PASSWD%% variable in the script, the variable is replaced by the password setting and encrypted.

The following example shows how to automate the hourly backup of the FortiProxy configuration to an FTP server.

FTP server: 10.1.5.241

FTP user: ftp_user

FTP user password: ftppassword

Name of the configuration file: FPX1_autoScript.conf

config system auto-script
    edit "hourly_config_backup"
        set interval 3600
        set repeat 0
        set start auto
        set script "execute backup full-config ftp FPX1_autoScript.conf 10.1.5.241 ftp_user %%PASSWD%%"
        set password ftppassword
    next
end

If the FTP auto script was executed successfully, the following is the result:

FPX1 $  execute auto-script status
========== #1, 2019-07-29 09:00:01 ==========
FPX1 $  execute backup full-config ftp FPX1_autoScript.conf 10.1.5.241 ftp_user ftppassword
 
Connect to ftp server 10.1.5.241 ...
Please wait...
Send config file to ftp server OK.
 
========== #2, 2019-07-29 10:00:01 ==========
FPX1 $  execute backup full-config ftp FPX1_autoScript.conf 10.1.5.241 ftp_user ftppassword
 
Connect to ftp server 10.1.5.241 ...
Please wait...
Send config file to ftp server OK.

The following example shows to automate the hourly backup of the FortiProxy configuration to a TFTP server:

config system auto-script
    edit "hourly_config_backup"
        set interval 3600
        set repeat 0
        set start auto
        set script "execute backup full-config tftp FPX1_autoScript.conf 10.1.5.241"
    next
end

The following is the full syntax of the auto-script CLI commands:

config system auto-script
    edit <name>
        set name <string>
        set interval <integer>
        set repeat <integer>
        set start {manual | auto}
        set script <string>
        set password <string>
        set output-size <integer>
        set timeout <integer>
    next
end

name <string>

Auto script name. The size is 35 characters.

interval <integer>

Repeat interval, in seconds (0 - 31557600, default = 0).

repeat <integer>

Number of times to repeat this script (0 - 65535, 0 = infinite, default = 1).

start {manual | auto}

Script starting mode.

  • manual: Starting manually (default).

  • auto: Starting automatically.

script <string>

List of FortiProxy CLI commands to repeat. The maximum size is 1023 characters.

password <string>

Script password to replace %%PASSWD%% tag in the script. Use cases include replacing a password tag for SFTP/FTP server password.

output-size <integer>

Number of megabytes to limit script output to (10 - 1024, default = 10).

timeout <integer>

Maximum running time for this script, in seconds (0 - 300, 0 = no timeout, default = 0).

Manual backups with SCP

You can use the secure copy protocol (SCP) to perform manual backups of the FortiProxy configuration.

  1. To enable SCP, run the following commands:

    config system global
        set admin-scp enable
    end
  2. Enable the SSH administrative access on the interface handling the SCP services.

  3. Use any Linux client to download the FortiProxy configuration file using the following command:

    $ scp admin@<FortiProxy_IP>:sys_config <location>

The following example is run using Lubuntu 19.04. This backup runs one time from the Linux client.

$ scp admin@10.1.5.252:sys_config ~/config/"FPX.autobackup.$(date +%Y%m%d_%H%M%S).conf"

The example downloads the configuration file and saves it to the ~/config folder with a file name of FPX.autobackup.$(date +%Y%m%d_%H%M%S).conf.

Using $(date +%Y%m%d_%H%M%S) ensures that each configuration file has a unique file name, for example, FPX.autobackup.20190729_110001.conf.

Scheduled automatic backups with SCP

To perform an hourly automatic backup, you need to run the SCP command as a cron job.

For example, you can use a bash script to run hourly backups with all the configuration files saved in the ~/config folder.

NOTE: Remember to change the IP address to your own FortiProxy IP address before adding the following command to a cron job. If the ~/config folder does not already exist, you need to create it before running the cron job.

#!bin/bash

# This command will pull a copy of the FortiProxy (10.1.5.252) using SCP on port 10104

# and save the config to the ~/config folder with the file-naming convention of

# FPX.autobackup.$(date +%Y%m%d_%H%M%S).conf

scp -P 10104 admin@10.1.5.252:sys_config ~/config/"FPX.autobackup.$(date +%Y%m%d_%H%M%S).conf"

Save the bash script file to ~/auto_backup/hourly_backup.sh.

Add execution permission to the bash script file:

$ sudo chmod +x ~/auto_backup/hourly_backup.sh

Run the ls -l command on the Linux client:

lubuntu@lubuntu-pc:~/auto_backup$ ls -l
total 4
-rwxr-xr-x 1 lubuntu lubuntu 106 Jul 29 14:41 hourly_backup.sh
lubuntu@lubuntu-pc:~/auto_backup$

To add the bash script to the cron table file, use the following command:

$ sudo crontab -e
 
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task.
#
# To define the time, you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and time zones.
#
# Output of the cron table jobs (including errors) is sent through
# email to the user the cron tab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m. every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information, see the manual pages of crontab(5) and cron(8)
#
# m h  dom mon dow   command
@hourly ~/auto_backup/hourly_backup.sh <==== Add this to the file and save it.

You can change the @hourly to @monthly or @weekly or @daily.

To verify that the backups were run correctly, look at the contents of the ~/config folder:

lubuntu@lubuntu-pc:~/config$ ls -l
total 784
-rw------- 1 lubuntu lubuntu 197872 Jul 29 11:00 FPX.autobackup.20190729_110001.conf
-rw------- 1 lubuntu lubuntu 197872 Jul 29 12:00 FPX.autobackup.20190729_120001.conf
-rw------- 1 lubuntu lubuntu 197872 Jul 29 13:00 FPX.autobackup.20190729_130001.conf
-rw------- 1 lubuntu lubuntu 197872 Jul 29 14:00 FPX.autobackup.20190729_140001.conf
lubuntu@lubuntu-pc:~/config$