Skip to main content
nmerchant
Staff
nmerchant
Staff
August 16, 2020

Technical Tip: Configure SCP backup

  • August 16, 2020
  • 0 replies
  • 15082 views

Description

 

This article explains how to configure SCP backup for FortiAnalyzer/FortiManager.

 

Scope

 

FortiAnalyzer.

Solution

 

  1. Check the OpenSSH version on the Linux station for version 5.4 or higher.
  2. Create a private/public key pair in the current directory: Assuming the user is Fortinet execute the below command under /home/fortinet ssh-keygen -f ca-key . Resulting keys: "ca-key" - private key, 'ca-key.pub' - public key.
  3. Set up the ssh server to trust the CA key: Under home/fortinet execute echo 'cert-authority $(cat ca-key.pub)' >> /home/fortinet/.ssh/authorized_keys.
  4. Create a user private/public key pair: Under home/fortinet execute ssh-keygen -f user-key . Resulting keys: 'user-key' - private key, 'user-key.pub' - public key.
  5. Sign the user key with the CA key: Under /home/fortinet execute ssh-keygen -s ca-key -I <key-id> user-key.pub . <key-id> is a "key identity" that is logged by the server when the certificate is used for authentication, for example, "fortinet’s key" A separate certificate file called user-key-cert.pub will be created.
  6. Decrypt the user private key: Under /home/fortinet execute openssl rsa -in user-key. Copy the output.
  7. On the FortiAnalyzer/FortiManager, enter the following commands.

 

config system certificate ssh

    edit <cert-name>
        set private-key "<copy from the decrypted user key you got in step f>" <----- Do not forget to have the quotes (") before and after the text. copied/pastee here.
        set certificate "<copy from the content of file user-key-cert.pub>"    <----- Do not forget to have the quotes (") before and after the text  copied/pasted here.
end

 

  1. Test backup from FortiAnalyzer/FortiManager.

exec backup all-settings scp <scp server ip, i.e. ip address of the linux server used above> <path/filename> <username> <cert-name>

 

Where username is a user account on scp server, which trusts the CA key. <cert-name> is the certificate created on FAZ in step 7 above.

To schedule scp backups configure as below:

 

config system backup all-settings
    set status enable
    set server <ip address of the linux server above>
    set user <username>
    set directory <backup directory on server>
    set week_days monday Tuesday …
    set time <time>
    set protocol scp
    set cert <cert-name>
end

    Terms & ConditionsAccessibility statement