This article describes how to create a backup of the FortiAuthenticator configuration to a remote FTP or SFTP server.
The supported methods are as follows:
FTP and SFTP from GUI - auto-backup.
FTP and TFTP from CLI - manual.
These tests are done using a free FTP server (FileZilla) and also a free SFTP server (SolarWinds).
First, it is necessary to create an FTP server on FortiAuthenticator.
Go to System -> Administration -> FTP Servers.
Go to System - > Administration - > Config auto-backup and enable option 'Enable configuration auto-backup' and specify the FTP server created before.
It is possible to specify frequency: Hourly, Daily, Weekly or Monthly.
Specify the FTP directory created in the above step.
Download and configure FileZilla server, a user is needed to be created on FileZilla and specify the path wanted to save backup config file.
Based on the frequency specified it is possible to see the backup config file saved on the path on server.
In case the backup is not working, make sure that there is no blocking in the firewall side on port 20 or 21.
It is possible to run a packet capture on FortiAuthenticator CLI:
# execute tcpdumpfile -i any port 20 or port 21
When the test is done, stop the packet capture with CTRL+C. Then download it from the FortiAuthenticator debug menu. Go to https://<fac-ip>/debug and download the file CLI Packet Capture listed in the dropdown.
Here user might see a communication issue between FortiAuthenticator and the FTP server. Additionally, it might help to check the logs on the FTP server side for any particular error at the time of testing, giving more information on the communication problem.
The other method is using SFTP server: it is necessary to configure SFTP server, for this example it is a free SFTP server (SolarWinds). Here make sure that port 22 is reachable from the FortiAuthenticator.
Specify the root directory to save the logs.
Create a new user and specify a password.
On FortiAuthenticator configuration select SFTP and specify username and password.
In the case there is any issue with the backup not working, it is possible to run a packet capture on FortiAuthenticator. Since in this case the packets are encrypted, the packet content cannot be read, but connectivity issues may be visible.
As a supplement, the server-side logs will help, especially if there are permission/account issues suspected.
# execute tcpdumpfile -i any port 22 and host 192.168.10.11
On the server side (192.168.10.11), it is possible to see the backup config file saved every hour.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.