Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Demir21
Staff
Staff

Created on ‎12-31-2021 03:06 AM Edited on ‎08-20-2024 02:31 AM By Moderator

Article Id 202286

Technical Tip: Get backup config file on FortiGate using RestAPI via Python script

Description This article describes another way on how to get the backup configuration file on FortiGate using HTTPS RestAPI calls from a Python script.
Scope FortiGate.
Solution
  1. Create a REST API Admin in FortiGate under System -> Administrators -> Create New -> REST API Admin to have access to it via API.

  2. Save the API key that is generated immediately after selecting on 'Save' button as in the screenshot below:

 

Demir21_0-1640948430514.png

 

 

  1. Ensure that the API admin is set with super_admin rights, CLI must be used:

 

config system api-user
    edit "test"
        set api-key ENC blahblah
        set accprofile "super_admin"
        set vdom "root"
    next
end


  1. Create an empty file in Linux using the command: nano /home/backup.py.

  2. Add the following Python script in the file and save it:

Import requests:

 

api_url = 'https:/10.191.20.122/api/v2/monitor/system/config/backup?scope=global&access_token=Nbcyjfgb....'

 

requests.packages.urllib3.disable_warnings()

data = requests.get(api_url, verify=False)

with open('/home/api_configbackup.conf' ,'wb') as f:

         for line in data:

               f.write(line)

 

Where 10.191.20.122 is the IP of the FortiGate.

 

The scope is global for the global configuration of the FortiGate.

 

Access_token is the value of the token we previously generated. 

 /home/api_configbackup.conf is the place in the Linux machine where to save the backup file.

 

  1. Execute the Python script created with the command python3 /home/backup.py

 

The file api_configbackup will be created in the specified directory with the configurations of the Fortigate included.

 

For chassis-based products (such as 6K - 7K) it may be necessary to set the scope to Global in the account profile to make this work as expected: 

 

config system accprofile
    edit "API-BACKUP"
        set scope global --> Set the scope to global under the relevant accprofile.
        set secfabgrp read-write
        set ftviewgrp read-write
        set authgrp read-write
        set sysgrp read-write
        set netgrp read-write
        set loggrp read-write
        set fwgrp read-write
        set vpngrp read-write
        set utmgrp read-write
        set wifi read-write
    next
11878
Submit Article Idea
Comments
wintermute000
Staff
Staff
‎11-17-2024 03:53 PM

The script no longer works at least as of a new FGT on 7.4.5.

This is broken

curl -k -i https://xxx/api/v2/monitor/system/config/backup?scope=global&access_token=xxxxxx

The token needs to be in the header now, at least for new VMs/new API users.

curl -k -H "Authorization: Bearer xxxx" https://xxx/api/v2/monitor/system/config/backup?scope=global

Note: existing FGT/users seem unaffected.

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.