Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Backup & restore

System > Maintenance > Backup & Restore enables you to:

  • Create backup files of the system configuration and web protection profiles.
  • Restore the system configuration or web protection profile from a previous backup. For details, see Restoring a previous configuration.

Once you have tested your basic installation and verified that it functions correctly, create a backup. This “clean” backup can be used to:

  • Troubleshoot a non-functional configuration by comparing it with this functional baseline via a tool such as Diff. For details, see Tools.
  • Rapidly restore your installation to a simple yet working point. For details, see Restoring a previous configuration.
  • Batch-configure FortiWeb appliances by editing the file in a plain text editor, then uploading the finalized configuration to multiple appliances. For details, see Restoring a previous configuration.

After you have a working deployment, back up the configuration again after any changes. This ensures that you can rapidly restore your configuration exactly to its previous state if a change does not work as planned.

You can configure the appliance to periodically upload a backup to an FTP server. See To back up the configuration via the web UI to an FTP/SFTP server.

Backing up configurations

Your deployment’s configuration is comprised of a few separate components. To make a complete configuration backup, you must include the:

  • Core configuration file
  • Certificates, private keys, and custom error pages
  • Vulnerability scan settings
  • Web protection profiles
  • Web server configuration files (see the documentation for your web servers’ operating systems or your preferred third-party backup software)
Configuration backups do not include data such as logs and reports.

 

There are multiple methods that you can use to create a FortiWeb configuration backup. Use whichever one suits your needs:

To back up the configuration via the web UI to localhost
  1. Log in to the web UI as the admin administrator.
  2. Other administrator accounts do not have the required permissions.

  3. Go to System > Maintenance > Backup & Restore.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Maintenance category. For details, see Permissions.
  4. Select the Backup & Restore tab.
    The top of the page displays the date and time of the last backup. (No date and time is displayed if the configuration was never backed up, or you restored the firmware.)
  5. Under Backup/Restore, select Backup.
  6. Select either:
  7. Backup entire configuration—Create a full backup of the configuration that includes both the configuration file (a CLI script) and other uploaded files, such as private keys, certificates, and error pages. You can choose whether or not to Include Machine Learning Data.

    Backup CLI configuration—Back up the core configuration file only (a CLI script) and exclude any other uploaded files and vulnerability scan settings.

    Backup Web Protection Profile related configuration—Back up the web protection profiles only.

  8. If you would like to password-encrypt the backup files to .zip extension files before downloading them, enable Encryption and type a password in Password.
  9. Click Backup.

If your browser prompts you, navigate to the folder where you want to save the configuration file.

Your browser downloads the configuration file. The download time varies by the size of the configuration and the specifications of the appliance’s hardware as well as the speed of your network connection. It can take several minutes.

To back up the configuration via the web UI to FortiWeb disk
  1. Log in to the web UI as the admin administrator.
  2. Other administrator accounts do not have the required permissions.

  3. Go to System > Maintenance > Backup & Restore.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Maintenance category. For details, see Permissions.
  4. Select the Local Backup & Restore tab.
  5. Under Backup, select either
  6. Full Config—A full configuration backup that includes both the configuration file and other uploaded files, such as private keys, certificates, and error pages. You can choose whether or not to Include Machine Learning Data.
    Note: You cannot restore a full configuration backup made via FTP/SFTP by using the web UI. Instead, use the execute restore command in the CLI.

    CLI Config—Only include the core configuration file.

    WAF Config—Only include the web protection profiles.

  7. Click Backup.

    A dialog Local Backup Name is displayed. Enter a name for the backup.

  8. Click OK.
    You can create a maximum number of 10 entries for loca backup.
To back up the configuration via the web UI to an FTP/SFTP server
Fortinet strongly recommends that you password-encrypt this backup, and store it in a secure location. This method includes sensitive data such as your HTTPS certificates’ private keys. Unauthorized access to private keys compromises the security of all HTTPS requests using those certificates.
  1. Go to System > Maintenance > Backup & Restore and select the FTP Backup tab.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Maintenance category. For details, see Permissions.
  2. Click Create New.
  3. In Name, type a name that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 63 characters.
  4. Configure these settings:

  5. FTP Protocol Select whether to connect to the server using FTP or SFTP.
    FTP Server Type either the IP address or fully qualified domain name (FQDN) of the server. The maximum length is 127 characters.
    FTP Directory Type the directory path on the server where you want to store the backup file. The maximum length is 127 characters.
    FTP Authentication Enable if the server requires that you provide a user name and password for authentication, rather than allowing anonymous connections.
    FTP User

    Type the user name that the FortiWeb appliance will use to authenticate with the server. The maximum length is 127 characters.

    This field appears only if you enable FTP Authentication.

    FTP Password

    Type the password corresponding to the user account on the server. The maximum length is 127 characters.

    This field appears only if you enable FTP Authentication.

    Backup Type

    Select either:

    • Full Config—A full configuration backup that includes both the configuration file and other uploaded files, such as private keys, certificates, and error pages. Please note the machine learning data is not included in the Full Config backup. To execute FTP backup including the machine learning data, use CLI command execute backup full-config-with-ML-data. See section "execute backup full-config-with-ML-data“ in FortiWeb CLI Reference.
      Note: You cannot restore a full configuration backup made via FTP/SFTP by using the web UI. Instead, use the execute restore command in the CLI.
    • CLI Config—Only include the core configuration file.
    • WAF Config—Only include the web protection profiles.
    Encryption

    Enable to encrypt the backup file with a password.

    Encryption Password

    Type the password that will be used to encrypt the backup file.

    This field appears only if you enable Encryption.

    Schedule Type

    Select either:

    • Now—Initiate the backup immediately.
    • Daily—Schedule a recurring backup for a specific day and time of the week.
    Days

    Select the specific days when you want the backup to occur.

    This field is visible only if you set Schedule Type to Daily.

    Time

    Select the specific hour and minute of the day when you want the backup to occur.

    This field is visible only if you set Schedule Type to Daily.

  6. Click OK.

If you selected an immediate backup, the appliance connects to the server and uploads the backup.

To back up the configuration via the CLI to a TFTP server

For this part, see FortiWeb CLI Reference.

Restoring a previous configuration

If you have downloaded configuration backups, you can upload one to revert the appliance’s configuration to that point.

Uploading a configuration file can also be used to configure many features of the FortiWeb appliance in a single batch: download a configuration file backup, edit the file in a plain text editor, then upload the finalized configuration.
To upload a configuration via the web UI
  1. Go to System > Maintenance > Backup & Restore and select the Backup & Restore tab.
  2. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Maintenance category. For details, see Permissions.

    If you have made a configuration backup to an FTP server (see To back up the configuration via the web UI to an FTP/SFTP server), you cannot restore it here. Instead, restore it by using the execute restore command. For details, see the FortiWeb CLI Reference:

    https://docs.fortinet.com/product/fortiweb/

  3. Select Restore.
  4. Click Upload in the From File field to locate the file. The file will have a .zip file extension.
  5. If the backup was encrypted, enable Decryption, then in Password, provide the password that was used to encrypt the backup file.
  6. Click Restore to start the restoration of the selected configuration to a file.
  7. Your web browser uploads the configuration file and the FortiWeb appliance restarts with the new configuration. Time required to restore varies by the size of the file and the speed of your network connection. Your web UI session will be terminated when the FortiWeb appliance restarts.

  8. To continue using the web UI, if you have not changed the IP address and static routes of the web UI, simply refresh the web page and log in again.
  9. Otherwise, to access the web UI again, in your web browser, modify the URL t to match the new IP address of the network interface.

    For example, if you configured port1 with the IP address 10.10.10.5, you would browse to:

    https://10.10.10.5

    If the new IP address is on a different subnet than the previous IP address, and your computer is directly connected to the FortiWeb appliance, you may also need to modify the IP address and subnet of your computer to match the FortiWeb appliance’s new IP address.

  10. Upload any auxiliary configuration files such as certificates. These are only included in the configuration backup if you used the CLI or FTP/SFTP server backup. Otherwise, you must upload them again manually.

Backup & restore

System > Maintenance > Backup & Restore enables you to:

  • Create backup files of the system configuration and web protection profiles.
  • Restore the system configuration or web protection profile from a previous backup. For details, see Restoring a previous configuration.

Once you have tested your basic installation and verified that it functions correctly, create a backup. This “clean” backup can be used to:

  • Troubleshoot a non-functional configuration by comparing it with this functional baseline via a tool such as Diff. For details, see Tools.
  • Rapidly restore your installation to a simple yet working point. For details, see Restoring a previous configuration.
  • Batch-configure FortiWeb appliances by editing the file in a plain text editor, then uploading the finalized configuration to multiple appliances. For details, see Restoring a previous configuration.

After you have a working deployment, back up the configuration again after any changes. This ensures that you can rapidly restore your configuration exactly to its previous state if a change does not work as planned.

You can configure the appliance to periodically upload a backup to an FTP server. See To back up the configuration via the web UI to an FTP/SFTP server.

Backing up configurations

Your deployment’s configuration is comprised of a few separate components. To make a complete configuration backup, you must include the:

  • Core configuration file
  • Certificates, private keys, and custom error pages
  • Vulnerability scan settings
  • Web protection profiles
  • Web server configuration files (see the documentation for your web servers’ operating systems or your preferred third-party backup software)
Configuration backups do not include data such as logs and reports.

 

There are multiple methods that you can use to create a FortiWeb configuration backup. Use whichever one suits your needs:

To back up the configuration via the web UI to localhost
  1. Log in to the web UI as the admin administrator.
  2. Other administrator accounts do not have the required permissions.

  3. Go to System > Maintenance > Backup & Restore.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Maintenance category. For details, see Permissions.
  4. Select the Backup & Restore tab.
    The top of the page displays the date and time of the last backup. (No date and time is displayed if the configuration was never backed up, or you restored the firmware.)
  5. Under Backup/Restore, select Backup.
  6. Select either:
  7. Backup entire configuration—Create a full backup of the configuration that includes both the configuration file (a CLI script) and other uploaded files, such as private keys, certificates, and error pages. You can choose whether or not to Include Machine Learning Data.

    Backup CLI configuration—Back up the core configuration file only (a CLI script) and exclude any other uploaded files and vulnerability scan settings.

    Backup Web Protection Profile related configuration—Back up the web protection profiles only.

  8. If you would like to password-encrypt the backup files to .zip extension files before downloading them, enable Encryption and type a password in Password.
  9. Click Backup.

If your browser prompts you, navigate to the folder where you want to save the configuration file.

Your browser downloads the configuration file. The download time varies by the size of the configuration and the specifications of the appliance’s hardware as well as the speed of your network connection. It can take several minutes.

To back up the configuration via the web UI to FortiWeb disk
  1. Log in to the web UI as the admin administrator.
  2. Other administrator accounts do not have the required permissions.

  3. Go to System > Maintenance > Backup & Restore.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Maintenance category. For details, see Permissions.
  4. Select the Local Backup & Restore tab.
  5. Under Backup, select either
  6. Full Config—A full configuration backup that includes both the configuration file and other uploaded files, such as private keys, certificates, and error pages. You can choose whether or not to Include Machine Learning Data.
    Note: You cannot restore a full configuration backup made via FTP/SFTP by using the web UI. Instead, use the execute restore command in the CLI.

    CLI Config—Only include the core configuration file.

    WAF Config—Only include the web protection profiles.

  7. Click Backup.

    A dialog Local Backup Name is displayed. Enter a name for the backup.

  8. Click OK.
    You can create a maximum number of 10 entries for loca backup.
To back up the configuration via the web UI to an FTP/SFTP server
Fortinet strongly recommends that you password-encrypt this backup, and store it in a secure location. This method includes sensitive data such as your HTTPS certificates’ private keys. Unauthorized access to private keys compromises the security of all HTTPS requests using those certificates.
  1. Go to System > Maintenance > Backup & Restore and select the FTP Backup tab.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Maintenance category. For details, see Permissions.
  2. Click Create New.
  3. In Name, type a name that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 63 characters.
  4. Configure these settings:

  5. FTP Protocol Select whether to connect to the server using FTP or SFTP.
    FTP Server Type either the IP address or fully qualified domain name (FQDN) of the server. The maximum length is 127 characters.
    FTP Directory Type the directory path on the server where you want to store the backup file. The maximum length is 127 characters.
    FTP Authentication Enable if the server requires that you provide a user name and password for authentication, rather than allowing anonymous connections.
    FTP User

    Type the user name that the FortiWeb appliance will use to authenticate with the server. The maximum length is 127 characters.

    This field appears only if you enable FTP Authentication.

    FTP Password

    Type the password corresponding to the user account on the server. The maximum length is 127 characters.

    This field appears only if you enable FTP Authentication.

    Backup Type

    Select either:

    • Full Config—A full configuration backup that includes both the configuration file and other uploaded files, such as private keys, certificates, and error pages. Please note the machine learning data is not included in the Full Config backup. To execute FTP backup including the machine learning data, use CLI command execute backup full-config-with-ML-data. See section "execute backup full-config-with-ML-data“ in FortiWeb CLI Reference.
      Note: You cannot restore a full configuration backup made via FTP/SFTP by using the web UI. Instead, use the execute restore command in the CLI.
    • CLI Config—Only include the core configuration file.
    • WAF Config—Only include the web protection profiles.
    Encryption

    Enable to encrypt the backup file with a password.

    Encryption Password

    Type the password that will be used to encrypt the backup file.

    This field appears only if you enable Encryption.

    Schedule Type

    Select either:

    • Now—Initiate the backup immediately.
    • Daily—Schedule a recurring backup for a specific day and time of the week.
    Days

    Select the specific days when you want the backup to occur.

    This field is visible only if you set Schedule Type to Daily.

    Time

    Select the specific hour and minute of the day when you want the backup to occur.

    This field is visible only if you set Schedule Type to Daily.

  6. Click OK.

If you selected an immediate backup, the appliance connects to the server and uploads the backup.

To back up the configuration via the CLI to a TFTP server

For this part, see FortiWeb CLI Reference.

Restoring a previous configuration

If you have downloaded configuration backups, you can upload one to revert the appliance’s configuration to that point.

Uploading a configuration file can also be used to configure many features of the FortiWeb appliance in a single batch: download a configuration file backup, edit the file in a plain text editor, then upload the finalized configuration.
To upload a configuration via the web UI
  1. Go to System > Maintenance > Backup & Restore and select the Backup & Restore tab.
  2. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Maintenance category. For details, see Permissions.

    If you have made a configuration backup to an FTP server (see To back up the configuration via the web UI to an FTP/SFTP server), you cannot restore it here. Instead, restore it by using the execute restore command. For details, see the FortiWeb CLI Reference:

    https://docs.fortinet.com/product/fortiweb/

  3. Select Restore.
  4. Click Upload in the From File field to locate the file. The file will have a .zip file extension.
  5. If the backup was encrypted, enable Decryption, then in Password, provide the password that was used to encrypt the backup file.
  6. Click Restore to start the restoration of the selected configuration to a file.
  7. Your web browser uploads the configuration file and the FortiWeb appliance restarts with the new configuration. Time required to restore varies by the size of the file and the speed of your network connection. Your web UI session will be terminated when the FortiWeb appliance restarts.

  8. To continue using the web UI, if you have not changed the IP address and static routes of the web UI, simply refresh the web page and log in again.
  9. Otherwise, to access the web UI again, in your web browser, modify the URL t to match the new IP address of the network interface.

    For example, if you configured port1 with the IP address 10.10.10.5, you would browse to:

    https://10.10.10.5

    If the new IP address is on a different subnet than the previous IP address, and your computer is directly connected to the FortiWeb appliance, you may also need to modify the IP address and subnet of your computer to match the FortiWeb appliance’s new IP address.

  10. Upload any auxiliary configuration files such as certificates. These are only included in the configuration backup if you used the CLI or FTP/SFTP server backup. Otherwise, you must upload them again manually.