Description
This article describes how to send an automatic backup to the TFTP server if an administrator changes a config and logs out of the system.
Scope
FortiGate.
Solution
- Go to Security Fabric -> Automation -> Create New, under trigger select 'Configuration change, and under 'Action' select CLI Script.
- Under CLI Script create a name and paste the CLI script for sending the config backup to the TFTP server and save it. Select here to learn more about Performing a configuration backup via CLI.
- If an admin makes a configuration change and logs out of the unit then the CLI script is executed and a backup is sent via the TFTP server. For testing an IPv4 policy has been created and the user logged out from the GUI.
The backup file is sent to the TFTP server as soon as the admin logs out.
In a HA cluster, the backup file is sent to the TFTP server with a FortiGate serial number, so the TFTP server must have a file with the name <FGT_S/N>_newfile otherwise the backup fails.
Note:
- It is important that the user is logged out in order for the automation stitch to be triggered.
- TFTP is not encrypted and not authenticated. Use it only on a dedicated/isolated management network, and restrict access so that only the FortiGate can reach the TFTP server. If secure transport is needed, consider alternatives such as SFTP.
- TFTP uses dynamic UDP ports for the data transfer (not only 69).
- 'set output-size<MB>' helps to reduce the risk of high memory usage from verbose scripts.
