New Member

Question

Error when restoring a configuration using SCP

Forum|Forum|10 years ago
August 6, 2015
7 replies
12183 views

Hello,

I tried to use restoring configuration with following scp command:

http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%25205.0%2520Help/basic_setup.096.55.html

(I don't use fgt_restore_config, but fgt-restore-config)

It seems restoring was finished, but there were two problems,

1) Received following errors before restore

#scp <local_file> <admin_user>@<host>:fgt-restore-config <admin_user>'s password: <local_file>

printcmdb.c, 1928: node_get_from_object error for global printcmdb.c, 1928: node_get_from_object error for interface printcmdb.c, 1928: node_get_from_object error for admin printcmdb.c, 1928: node_get_from_object error for ha printcmdb.c, 1928: node_get_from_object error for storage printcmdb.c, 1928: node_get_from_object error for device-category printcmdb.c, 1928: node_get_from_object error for storage printcmdb.c, 1928: node_get_from_object error for fortiguard printcmdb.c, 1928: node_get_from_object error for console

End Restore <local_file> to <host>

2) It seems something is wrong, for example, exec traceroute received error like this;

*traceroute: sendto: Operation not permitted

Any idea to solve this?

Thanks in advance.

5.0

emnoc

New Member

OP is the config file correct for the FortiOS version your running? Look at the 1st 3 lines of the cfg validate the right file by type and version.

e.g

#config-version=FWF60D-5.02-FW-build670-150318:opmode=0:vdom=1:user=admin #conf_file_ver=12854391105018001111 #buildno=0670

NagaAuthor

New Member

Yes, it's same.

#config-version=FG100D-5.00-FW-build292-140731:opmode=0:vdom=1:user=<admin_user> #conf_file_ver=327945981713478992 #buildno=0292

FYI, firmware version is this: v5.0,build0292 (GA Patch 9)

Thanks,

emnoc

New Member

could it be a bug ?

What I would do;

1: down load a unencrypted backup

2: diff the 1st one you tried to the newly created backup

3: try to re-upload the newly create backup and see what happens

NagaAuthor

New Member

Hi emnoc,

I tired to test.

1: Saved current configration which has error (as "current.config")

2: Factory reset + basic configration, settting IP and enabling SCP (as "basic.config" ) 3: The results are: (restoring with scp command) from basic.config to current.config -> No error from basic.config to basic.config -> No error from current.config to basic.config -> Error from current.config to current.config -> Error

It seems scp self do not have a bug, and current.config has setting(s) which makes error in case of changing that.

I wish you have some ideas for this.

Thanks,

ede_pfau

SuperUser

I have the suspicion that you are using VDOMs, and the restore only affected the root VDOM. Can you clarify, please?

NagaAuthor

New Member

I am using VDOMs, but restore is not affected only to root VDOM, but to all VDOMs.

Is scp restore command only for the configuration without virtual clustering ?

Thanks,

ede_pfau

SuperUser

Content differs depending on the filename you are pulling: either sys_config (regular) or fgt-config (with all VDOM settings).

Have a look at this thread: https://forum.fortinet.com/tm.aspx?m=114055

NagaAuthor

New Member

Hi ede_pfau,

I'm getting configuration by using "fgt-config", found at here;

http://docs-legacy.fortin...asic_setup.096.53.html

after that, I use follwing command for restoring.

#scp <local_file> <admin_user>@<host>:fgt-restore-config

I found this command in this url:

http://docs-legacy.fortin...asic_setup.096.55.html

In this url, we should use "fgt_retsore_config" but this is not work so I use "fgt-restore-config". (guessing fgt_restore_config is typo)

Thanks,

emnoc

New Member

Did you diff the download via the webgui and the scp download? if the configuration is messed up or different, I expect the unit to complain and fall over with errors.

And yes you can use the "fgt-restore-config" in fact I think anything with fgt-restore in it will work :)

NagaAuthor

New Member

It's good news for me that using "fgt-restore-config" is regular way.

The "diff" between WebGUI and SCP shows that only private key infomation (DEK-Info and private key body) is different. I couldn't find any other difference between these two configurations which I took both in 5 miniutes ago.

I tried to upload WebGUI configuration via SCP just in case, but result is same, had same errors.

Thanks,

emnoc

New Member

Can I ask a very dumb question, the username your using to restore what's the acc_profile for that user ( all read-write )?

If the "accprofile" doesn't let that user write, I could see that error. That's about the only issues I could think of.

So let make 100% sure, that this is not a account profile restriction issue.

And on the restoral anything with <fgt-restore-config> in the name , will work if your ever curiouse.g

mybigfatfgt-restore-config works just as good as fgt-restore-config

Ken

NagaAuthor

New Member

Hi Ken,

I use "admin" which is given by system as default. I didn't have changed any acc_profile for this FG. Also, updating operation to new configuration file shows writing operation is allowed.

FYI, I use shell-script for restoring so operation is always executed with same way.

Thanks,

Allwyn_Mascarenhas

New Member

I have made this batch file for conf dload using scp, works great. Put it all in notepad and change the extension to .bat.

Also enable scp on the fgt:

conf sys global

set admin-scp enable

end

echo off
echo firewall backup
set /p cn=Enter client:
set /p ip=Enter ip:
set /p un=Enter un:
set /p pwr=Enter pw:
echo
cd c:\Program Files\PuTTY
pscp -pw %pwr% %un%@%ip%:sys_config c:\backup\%cn%-%DATE%-%TIME::=%.conf
PAUSE

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded