Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Jonathan_Body_FTNT
Staff
Staff

Created on ‎02-18-2010 07:43 AM Edited on ‎11-09-2025 11:22 PM By Community Manager

Article Id 196889

Technical Tip : Differences between FortiGate CLI commands "execute backup config" and "execute backup full-config"

Description

 

This article explains the utilization of the "execute backup config" and the "execute backup full-config" and the expected output available in the saved configuration files.

Scope

 

FortiOS.


Solution

 

When performing an 'execute backup' of the configuration file on the FortiGate, there are 2 ways this file can be saved: either as a 'config' or as a 'full-config'.

The difference can be described in the following way:

When navigating on the CLI, if a 'show config' is used, this will show the configuration in its basic format; however, performing the  "show full-config"  the FortiGate will show everything, including the default values:-

show full = show + default values

This can also be true of the way the FortiGate saves the configuration files within the 2 scenarios either as a "config" or a "full-config", the "full-config" will also include all default values within the saved file.

For example, here below the full-config file was saved from a device via ftp to a ftp server:-


FGT200A-1 # execute backup full-config ftp fgt.200A_full.conf 192.168.183.2 fortinet fortinet

Please wait...
Please wait...

Connect to ftp server 192.168.183.2 ...
Send config file to ftp server OK.


Previously, as an 'execute backup config' was performed, it was possible to compare the output from 2 sub-menus for a protection profile 'unfiltered', this is the excerpts from the 'execute backup config' and 'exec backup full-config'.

FGT # execute backup config

edit "unfiltered"
            config log
                set log-web-ftgd-err enable
            end
        set ftp no-content-summary
        set http no-content-summary
        set https no-content-summary
        set imap fragmail no-content-summary
        set pop3 fragmail no-content-summary
        set smtp fragmail no-content-summary splice
        set nntp no-content-summary
            config app-recognition
                edit "http"
                    set port 80
                next
                edit "https"
                    set port 443
                next
                edit "smtp"
                    set port 25
                next
                edit "pop3"
                    set port 110
                next
                edit "imap"
                    set port 143
                next
                edit "nntp"
                    set port 119
                next
                edit "ftp"
                    set port 21
                next
            end
        unset im
        unset http-post-lang
        set ftgd-wf-options strict-blocking
        set ftgd-wf-https-options strict-blocking
    next
end


FGT # execute backup full-config

 edit "unfiltered"
        set webbwordthreshold 10
        set spambwordthreshold 10
        set httpoversizelimit 10
        set ftpoversizelimit 10
        set imapoversizelimit 10
        set pop3oversizelimit 10
        set smtpoversizelimit 10
        set imoversizelimit 10
        set nntpoversizelimit 10
            config log
                set log-app-ctrl disable
                set log-av-block disable
                set log-av-oversize disable
                set log-av-virus disable
                set log-dlp disable
                set log-ips disable
                set log-spam disable
                set log-web-content disable
                set log-web-filter-activex disable
                set log-web-filter-applet disable
                set log-web-filter-cookie disable
                set log-web-ftgd-err enable
                set log-web-invalid-domain enable
                set log-web-url disable
            end
        set ftp no-content-summary
        set http no-content-summary
        set https no-content-summary
        set http-retry-count 0
        set imap fragmail no-content-summary
        set pop3 fragmail no-content-summary
        set smtp fragmail no-content-summary splice
        set smtp-spamaction discard
        set smtp-spamtagtype subject spaminfo
        set smtp-spamtagmsg "Spam"
        set smtp-spamhdrip disable
        set smtp-spam-localoverride disable
        set pop3-spamaction tag
        set pop3-spamtagtype subject spaminfo
        set pop3-spamtagmsg "Spam"
        set nac-quar-infected none
        set imap-spamaction tag
        set imap-spamtagtype subject spaminfo
        set imap-spamtagmsg "Spam"
        set filepattable 0
        set webbwordtable 0
        set weburlfiltertable 0
        set spambwordtable 0
        set spamemaddrtable 0
        set spamipbwltable 0
        set spammheadertable 0
        set spamrbltable 0
        set spamiptrusttable 0
        set content-header-list 0
        set nntp no-content-summary
        set ips-sensor-status disable
        set application-list-status disable
            config app-recognition
                edit "http"
                    set inspect-all disable
                    set port 80
                next
                edit "https"
                    set inspect-all disable
                    set port 443
                next
                edit "smtp"
                    set inspect-all disable
                    set port 25
                next
                edit "pop3"
                    set inspect-all disable
                    set port 110
                next
                edit "imap"
                    set inspect-all disable
                    set port 143
                next
                edit "nntp"
                    set inspect-all disable
                    set port 119
                next
                edit "ftp"
                    set inspect-all disable
                    set port 21
                next
            end
        set mailsig-status disable
        set mail-sig ''
        unset im
        set comment ''
        set dlp-sensor-table ''
        unset http-post-lang
        set replacemsg-group "default"
        set httpcomfortinterval 10
        set ftpcomfortinterval 10
        set httpcomfortamount 1
        set ftpcomfortamount 1
        set httppostaction normal
        unset safesearch
        set ftgd-wf-options strict-blocking
        set ftgd-wf-https-options strict-blocking
        set ftgd-wf-enable g01 g02 g03 g04 g05 g06 g07 g08 g21 c01 c02 c03 c04 c05 c06
        set ftgd-wf-disable g22
        set ftgd-wf-allow all
        unset ftgd-wf-log
        unset ftgd-wf-ovrd
    next
end

 

Note:

There is no way to set a source IP or specific interface to backup either full-config or config.

10670
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.