Technical Tip: Backup and restore FortiGate configuration file from a USB thumb drive
Description
This article describes how to take backup and restore a FortiGate configuration file from a USB thumb drive.
Scope
FortiGate.
Solution
Most FortiGate models will have an external USB-A port available that a USB thumb drive/storage device can be plugged into, and from there administrators can backup/restore config files to/from the USB drive. Note that the FortiGate only supports USB drives formatted for FAT/vFAT/FAT32 (MBR partitions only, no support for GPT).
Before starting, verify that the USB drive is connected to the same physical FortiGate that the config backup will be run on (it is not possible to backup a configuration from an HA srimary FortiGate if the USB is plugged into the HA secondary, and vice-versa). To check that the USB drive is detected, run the following commands and check for entries mentioning USB.
FortiGate # diagnose hardware deviceinfo disk
[...]
Disk USB-4(user-usb) ref: 16 57.7GiB type: USB [Kingston DataTraveler 3.0] dev: /dev/sdb
partition ref: 17 57.7GiB, 57.7GiB free mounted: N label: dev: /dev/sdb1 start: 0
[...]
FortiGate # execute usb-device list
[...]
T: Bus=02 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#= 6 Spd=5000 MxCh= 0
D: Ver= 3.20 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1
P: Vendor=0951 ProdID=1666 Rev= 1.10
S: Manufacturer=Kingston
S: Product=DataTraveler 3.0
S: SerialNumber=<redacted>
C:* #Ifs= 1 Cfg#= 1 Atr=80 MxPwr= 36mA
I:* If#= 0 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage
E: Ad=81(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=02(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
[...]
Finally, verify the FortiGate can also mount the USB drive filesystem by running the command execute usb-disk list. If the FortiGate can read the filesystem on the USB drive then it will show the contents (or return a blank output), otherwise a warning message will be shown (see section below for information on resolving this).
To backup configuration using the CLI:
- Log into the CLI.
- Enter one of the following commands to backup the configuration files:
execute backup [ config | obfuscated-config ] usb <filename>
execute backup [ full-config | obfuscated-full-config ] usb <filename>
execute backup [ yaml-config | obfuscated-yaml-config ] usb <filename>
Usage notes:
- The config version is similar to backing up via the GUI and produces a file with only the settings required to fully restore the FortiGate (this is the recommended version for backup/restore).
- The full-config version contains the entire configuration, similar to performing a show full-config in the CLI. This produces a much larger file and and is generally not necessary for backup/restore (but will function correctly).
- The yaml version produces a backup in the YAML language, rather than the traditional FortiOS CLI-like format.
- The obfuscated versions replace all passwords and secrets with the phrase 'FortinetPasswordMask'. This version is useful for sharing with Fortinet TAC but is not appropriate for restore purposes (it will not have any admin passwords, IPsec PSKs, or other necessary secrets from the original configuration).
- Once one of the above commands is run, run the command execute usb-disk list to confirm that the configuration files are present on the USB drive. See the example output below (note that a file extension is not added to the file by default and would need to be typed by the administrator):
FortiGate # execute backup config usb config_backup.conf
Please wait...
Copy config config_backup.txt to USB disk ...
Copy config file to USB disk OK.
FortiGate # execute usb-disk list
2026-02-03 10:05:10 <DIR> System Volume Information
2026-02-04 10:08:01 708920 config_backup.conf
To restore configuration using the CLI:
- Log into the CLI.
- Enter the command execute restore config usb <filename> to restore a config file from the USB drive, then type 'y' to confirm the restoration:
FortiGate # execute restore config usb config_backup.conf
This operation will overwrite the current setting and could possibly reboot the system!
Do you want to continue? (y/n)y
Please wait...
Copy config config_backup.conf from USB disk ...
Get config file from USB disk OK.
File check OK.
FortiGate #
System is rebooting...
To backup/restore a specific VDOM configuration, enter into the VDOM before running through the above procedures:
config vdom
edit <vdom_name>
Finally, to perform a backup to a USB drive in the GUI, refer to the following documentation: Configuration backups and reset. Check from the GUI to make sure the USB drive is visible to the FortiGate before starting the backup/restore process:
Additional commands:
| Command | Purpose |
| execute usb-disk delete <filename> | Deletes an existing file on the USB drive. |
| execute usb-disk eject | Ejects/unmounts the USB drive ahead of physical removal (not mandatory with most USB drives today). |
| execute usb-disk format | Re-formats the USB drive to the FAT32 filesystem. This will delete all existing files on the USB drive, so ensure that any required files are backed up before running this command. |
| execute usb-disk list | Mounts the USB drive and attempts to list the contents. If the USB drive is not readable for some reason (incompatible filesystem, using GPT partitioning instead of MBR, drive corruption, etc.,) then the following warning is shown:
FortiGate # execute usb-disk list |
| execute usb-disk rename <old_filename> <new_filename> | Renames an existing file on the USB drive. |
Note: if the config filename includes spaces then it is necessary to wrap it in quotations when performing a backup/restore.
Related document: