Technical Tip: Auto backup to TFTP server when an admin makes a config change
Description
This article describes how to send an automatic backup to the TFTP server if an administrator changes a config and logs out of the system.
Â
Scope
Â
FortiGate.
Solution
Â
Go to Security Fabric -> Automation -> Create New, under trigger select 'Configuration change, and under 'Action' select CLI Script.
Â
Under CLI Script, create a name and paste the CLI script for sending the config backup to the TFTP server, and save it. Select here to learn more about performing a configuration backup via CLI.
Â
Â
To backup full configuration with a password-protected file (encrypted), use the command 'execute backup full-config tftp <filename> <TFTP Server IP> <Encryption Password>'.
Example: execute backup full-config tftp full_backup_encrypted.conf 10.255.254.10 Encrypt@Pass
If an admin makes a configuration change and logs out of the unit, then the CLI script is executed, and a backup is sent via the TFTP server. For testing, an IPv4 policy has been created, and the user logged out from the GUI.
Â
Â
The backup file is sent to the TFTP server as soon as the admin logs out.
Â
Â
In a HA cluster, the backup file is sent to the TFTP server with a FortiGate serial number, so the TFTP server must have a file with the name <FGT_S/N>_newfile; otherwise, the backup fails.
Â
Notes:Â
It is important that the user is logged out in order for the automation stitch to be triggered.
TFTP is not encrypted and not authenticated. Use it only on a dedicated/isolated management network, and restrict access so that only the FortiGate can reach the TFTP server. If secure transport is needed, consider alternatives such as SFTP.
TFTP uses dynamic UDP ports for the data transfer (not only 69).
'set output-size<MB>' helps to reduce the risk of high memory usage from verbose scripts.
A Passport-protected (Encrypted) configuration file cannot be restored on the FortiGate without the correct encryption password.
Related document: