Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
rbraha
Staff
Staff

Created on ‎09-29-2022 05:15 AM Edited on ‎11-01-2022 01:22 AM By Community Manager

Article Id 225265

Technical Tip: Auto-Backup config of FortiAuthenticator

Description

 

This article describes how to create a backup of the FortiAuthenticator configuration to a remote FTP or SFTP server.

 

Scope

 

FortiAuthenticator.

 

Solution

The supported methods are as follows:
FTP and SFTP from GUI - auto-backup.
FTP and TFTP from CLI - manual.

These tests are done using a free FTP server (FileZilla) and also a free SFTP server (SolarWinds).

 

First, it is necessary to create an FTP server on FortiAuthenticator. 

Go to System -> Administration -> FTP Servers.

 

ftp1.png

 

Go to System - > Administration - > Config auto-backup  and enable option 'Enable configuration auto-backup' and specify the FTP server created before. 

 

It is possible to specify frequency: Hourly, Daily, Weekly or Monthly.

 

Specify the FTP directory created in the above step.

 

ftp2.png

 

Download and configure FileZilla server, a user is needed to be created on FileZilla and specify the path wanted to save backup config file.

 

ftp3.png

 

Based on the frequency specified it is possible to see the backup config file saved on the path on server.

 

In case the backup is not working, make sure that there is no blocking in the firewall side on port 20 or 21.

 

It is possible to run a packet capture on FortiAuthenticator CLI:

 

# execute tcpdumpfile -i any port 20 or port 21

 

When the test is done, stop the packet capture with CTRL+C. Then download it from the FortiAuthenticator debug menu. Go to https://<fac-ip>/debug and download the file CLI Packet Capture listed in the dropdown.

Here user might see a communication issue between FortiAuthenticator and the FTP server. Additionally, it might help to check the logs on the FTP server side for any particular error at the time of testing, giving more information on the communication problem.

 

 

The other method is using SFTP server: it is necessary to configure SFTP server, for this example it is a free SFTP server (SolarWinds). Here make sure that port 22 is reachable from the FortiAuthenticator.

 

Specify the root directory to save the logs.

 

sftp1.png

 

Create a new user and specify a password. 

 

sftp2.png

 

On FortiAuthenticator configuration select SFTP and specify username and password.

 

sftp3.png

 

In the case there is any issue with the backup not working, it is possible to run a packet capture on FortiAuthenticator. Since in this case the packets are encrypted, the packet content cannot be read, but connectivity issues may be visible.

As a supplement, the server-side logs will help, especially if there are permission/account issues suspected.

 

# execute tcpdumpfile -i any port 22 and host 192.168.10.11

 

On the server side (192.168.10.11), it is possible to see the backup config file saved every hour.

 

Anthony_E_0-1664453917402.png

1759
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.