FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmarcuccetti
Staff
Staff
Article Id 198364

Description


This article explains how to send automated backups from a FortiGate to a TFTP/FTP server using an automated action, Automation Stitches.


Scope

 
FortiGate.


Solution

 

The Automation Stitch is a feature of the Security Fabric.
To deploy it, configure automation-trigger, automation-action and automation-stitches

 

CLI example:

In this example a trigger is scheduled to perform a daily backup at 23:58 to an FTP server 192.168.55.4 (username testuser, password testpassword) into the directory 'Backup', naming the file backup.conf

 

Step 1:

 

config system automation-trigger
    edit "backup"
        set trigger-type scheduled
        set trigger-frequency daily   <----- Frequency of the action.
        set trigger-hour 23           <----- Hour of the triggered action.
        set trigger-minute 58         <----- Minute of the triggered action.
    next
end

 

Step 2:

 

config system automation-action
    edit "backup"
        set action-type cli-script
        set minimum-interval 0    <----- Limit execution to no more than once in this interval (in seconds).
        set delay 0               <-----Delay before execution (in seconds).
        set required enable
        set script "execute backup config ftp /Backup/backup.conf 192.168.55.4 testuser testpassword"
    next
end

In case the FortiGate is configured with multiple VDOMs, configure the script line as below:

 

set script "config global

execute backup config ftp /Backup/backup.conf 192.168.55.4 testuser testpassword"

 

Step 3:

 

config system automation-stitch
    edit "backup"
        set status enable
        set trigger "backup"
        set action "backup"
    next
end

 

Execute backup breakdown:

 

execute backup config ftp /Backup/backup.conf 192.168.55.4 testuser testpassword

 

  • 'execute backup config' will back up the current saved configuration.
  • 'ftp' specifies to backup of the file to the FTP server.
  • '/Backup/backup.conf' assigns this file name and path to the backup on the FTP server. Note that if the folder path does not have '/backup/' specified, the FTP server will save the file into the "default" ftp folder. Optionally, add the variable %%date%% to name the backup with the current date stamp. For example: 'backup-%%date%%.conf' would be saved as backup-2023-01-11.conf
  • Moreover, optional variables such as '%%log.devid%%” and “%%log.devname%%' can be added to the name of the backup for device name and serial number.
  • '192.168.55.4' is the FTP server's IP. A port can also be specified. For example, 192.168.55.4:2323.
  • 'testuser' is the username of a user with read/write permissions on the FTP server.
  • 'testpassword' is the above user's password.

 

Note that the user and password that is defined in the automation stitch will be saved in clear text in FortiGate backup.

 

GUI example:
Go to Security Fabric -> Automation. In the Trigger section select Schedule and in the Action section select CLI Script.

  
Record the CLI script or upload it.
 
 
Once the action is triggered in the Security Fabric -> Automation page is recording the Last Triggered Time.
 
 

 

Important Note:

When the FTP server is known through an IPSec VPN.

 

An important point to keep in mind is a possible scenario where the FTP server used to store backups is in another location and it is reached by IPSec VPN.
In this case, the traffic generated by the Fortigate execution of commands will be announced with WAN or MGMT IP by default, this traffic may not be allowed.
To solve this, it is necessary to configure an IP over the IPSec interface on Source FortiGate and allow this communication [Interface IPsec IP]->[FTP_Server] in encryption domains of VPN and Firewall policies on the Remote side.

 

Here is a diagram example:

 

Auto-backup.PNG

Configurations for this example:


FortiGate Source:


config vpn ipsec phase1-interface
    edit "To-DataCenter"
        set interface "port1"
        set peertype any
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 
        set remote-gw <DataCenter_Public_IP>
    next
end

config vpn ipsec phase2-interface
    edit "To-DataCenter_FTP"
        set phase1name "To-DataCenter"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
        set src-subnet 10.254.254.254 255.255.255.255
        set dst-subnet 192.168.55.0 255.255.255.0
    next
end

 

config system interface
    edit "To-DataCenter"
        set ip 10.254.254.254 255.255.255.255
        set type tunnel
        set interface "port1"
    next
end

config router static
    edit 0
        set dst 192.168.55.0 255.255.255.0
        set device "To-DataCenter"
    next
end

 

FortiGate Date Center: 

 

config vpn ipsec phase1-interface
    edit "To-Fortigate"
        set interface "port1"
        set peertype any
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 
        set remote-gw <FGT_Public_IP>
    next
end

config vpn ipsec phase2-interface
    edit "To-Fortigate_FTP"
        set phase1name "To-Fortigate"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
        set src-subnet 192.168.55.0 255.255.255.0
        set dst-subnet 10.254.254.254 255.255.255.255
    next
end

config router static
    edit 0
        set dst 10.254.254.254 255.255.255.255
        set device "To-Fortigate"
    next
end

config firewall address
    edit "To-Fortigate_remote_subnet_10.254.254.254"
        set subnet 10.254.254.254 255.255.255.255
    next
    edit "To-Fortigate_local_subnet_192.168.55.0/24"
        set subnet 192.168.55.0 255.255.255.0
    next
end

config firewall policy
    edit 0
        set name "FTP_AUTOBACKUP"
        set srcintf "To-Fortigate"
        set dstintf "port4"
        set srcaddr "To-Fortigate_remote_subnet_10.254.254.254"
        set dstaddr "To-Fortigate_local_subnet_192.168.55.0/24"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable 
    next
end