FortiAuthenticator
FortiAuthenticator provides access management and single sign on.
rbraha
Staff
Staff
Article Id 225265
Description

 

This article describes how to create a backup of the FortiAuthenticator configuration to a remote FTP or SFTP server.

 

Scope

 

FortiAuthenticator.

 

Solution

The supported methods are as follows:
FTP and SFTP from GUI - auto-backup.
FTP and TFTP from CLI - manual.

These tests are done using a free FTP server (FileZilla) and also a free SFTP server (SolarWinds).

 

First, it is necessary to create an FTP server on FortiAuthenticator. 

Go to System -> Administration -> FTP Servers.

 

ftp1.png

 

Go to System - > Administration - > Config auto-backup  and enable option 'Enable configuration auto-backup' and specify the FTP server created before. 

 

It is possible to specify frequency: Hourly, Daily, Weekly or Monthly.

 

Specify the FTP directory created in the above step.

 

ftp2.png

 

Download and configure FileZilla server, a user is needed to be created on FileZilla and specify the path wanted to save backup config file.

 

ftp3.png

 

Based on the frequency specified it is possible to see the backup config file saved on the path on server.

 

In case the backup is not working, make sure that there is no blocking in the firewall side on port 20 or 21.

 

It is possible to run a packet capture on FortiAuthenticator CLI:

 

# execute tcpdumpfile -i any port 20 or port 21

 

When the test is done, stop the packet capture with CTRL+C. Then download it from the FortiAuthenticator debug menu. Go to https://<fac-ip>/debug and download the file CLI Packet Capture listed in the dropdown.

Here user might see a communication issue between FortiAuthenticator and the FTP server. Additionally, it might help to check the logs on the FTP server side for any particular error at the time of testing, giving more information on the communication problem.

 

 

The other method is using SFTP server: it is necessary to configure SFTP server, for this example it is a free SFTP server (SolarWinds). Here make sure that port 22 is reachable from the FortiAuthenticator.

 

Specify the root directory to save the logs.

 

sftp1.png

 

Create a new user and specify a password. 

 

sftp2.png

 

On FortiAuthenticator configuration select SFTP and specify username and password.

 

sftp3.png

 

In the case there is any issue with the backup not working, it is possible to run a packet capture on FortiAuthenticator. Since in this case the packets are encrypted, the packet content cannot be read, but connectivity issues may be visible.

As a supplement, the server-side logs will help, especially if there are permission/account issues suspected.

 

# execute tcpdumpfile -i any port 22 and host 192.168.10.11

 

On the server side (192.168.10.11), it is possible to see the backup config file saved every hour.

 

Anthony_E_0-1664453917402.png