FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Demir21
Staff
Staff
Article Id 202286
Description This article describes another way on how to get the backup configuration file on FortiGate using HTTPS RestAPI calls from a Python script.
Scope FortiGate.
Solution
  1. Create a REST API Admin in FortiGate under System -> Administrators -> Create New -> REST API Admin to have access to it via API.

  2. Save the API key that is generated immediately after selecting on 'Save' button as in the screenshot below:

 

Demir21_0-1640948430514.png

 

 

  1. Ensure that the API admin is set with super_admin rights, CLI must be used:

 

config system api-user
    edit "test"
        set api-key ENC blahblah
        set accprofile "super_admin"
        set vdom "root"
    next
end


  1. Create an empty file in Linux using the command: nano /home/backup.py.

  2. Add the following Python script in the file and save it:

Import requests:

 

       import requests

api_url = 'https://10.191.20.122/api/v2/monitor/system/config/backup?scope=global&access_token=Api_Key_Generate...'

 

requests.packages.urllib3.disable_warnings()

data = requests.get(api_url, verify=False)

with open('/home/api_configbackup.conf' ,'wb') as f:

         for line in data:

               f.write(line)

 

Where 10.191.20.122 is the IP of the FortiGate.

 

For FortiOS 7.4.5 + the authentication needs to be passed in the header, and Api_Key_Generated needs to be moved from the link inside the get request header. Script will be:

 

    import requests

    api_url = 'https://10.191.20.122/api/v2/monitor/system/config/backup?scope=global'

    requests.packages.urllib3.disable_warnings()
    headers = {"Authorization": "Bearer Api_Key_Generated"}
    data = requests.get(api_url, verify=False, headers=headers)

    with open('/home/api_configbackup.conf' ,'wb') as f:

        for line in data:

            f.write(line)

 

The scope is global for the global configuration of the FortiGate.

 

Api_Key_Generated is the value of the token we previously generated. 

 /home/api_configbackup.conf is the place in the Linux machine where to save the backup file.

 

  1. Execute the Python script created with the command python3 /home/backup.py

 

The file api_configbackup will be created in the specified directory with the configurations of the Fortigate included.

 

For chassis-based products (such as 6K - 7K) it may be necessary to set the scope to Global in the account profile to make this work as expected: 

 

config system accprofile
    edit "API-BACKUP"
        set scope global
--> Set the scope to global under the relevant accprofile.
        set secfabgrp read-write
        set ftviewgrp read-write
        set authgrp read-write
        set sysgrp read-write
        set netgrp read-write
        set loggrp read-write
        set fwgrp read-write
        set vpngrp read-write
        set utmgrp read-write
        set wifi read-write
    next