FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmarcuccetti
Staff
Staff
Article Id 198364

Description


This article explains how to send automated backups from a FortiGate to a TFTP/FTP or SFTP Server using an automated action and automation stitches, and also provides a recommendation for configuring a Linux machine.


Scope

 
FortiGate.


Solution

 

The Automation Stitch is a feature of the Security Fabric.
To deploy it, configure automation-trigger, automation-action and automation-stitches.

 

CLI example:

In this example a trigger is scheduled to perform a daily backup at 23:58 to an FTP/SFTP server 192.168.55.4 (username testuser, password testpassword) into the directory 'Backup', naming the file backup.conf.

 

Step 1:

 

config system automation-trigger
    edit "backup"
        set trigger-type scheduled
        set trigger-frequency daily   <- Frequency of the action.
        set trigger-hour 23           <- Hour of the triggered action.
        set trigger-minute 58         <- Minute of the triggered action.
    next
end

 

Step 2:

 

config system automation-action
    edit "backup"
        set action-type cli-script
        set minimum-interval 0    <- Limit execution to no more than once in this interval (in seconds).
        set delay 0               <- Delay before execution (in seconds).
        set required enable
        set script "execute backup config ftp /Backup/backup.conf 192.168.55.4 testuser testpassword"
    next
end

If the FortiGate is configured with multiple VDOMs, configure the script line as below:

 

set script "config global

execute backup config ftp /Backup/backup.conf 192.168.55.4 testuser testpassword"

 

When using SFTP for transferring the backup and the FortiGate is configured with multiple VDOMs, the script above will change only the protocol, as below:

set script "config global

execute backup config sftp /Backup/backup.conf 192.168.55.4 testuser testpassword"

 

Step 3:

 

config system automation-stitch
    edit "backup"
        set status enable
        set trigger "backup"
        set action "backup"
    next
end

 

Execute backup breakdown:

 

execute backup config ftp /Backup/backup.conf 192.168.55.4 testuser testpassword

 

  • 'execute backup config' will back up the current saved configuration.
  • 'ftp' specifies to backup of the file to the FTP server.
  • '/Backup/backup.conf' assigns this file name and path to the backup on the FTP server. Note that if the folder path does not have '/backup/' specified, the FTP server will save the file into the "default" ftp folder. Optionally, add the variable %%date%% to name the backup with the current date stamp. For example: 'backup-%%date%%.conf' would be saved as backup-2023-01-11.conf
  • Moreover, optional variables such as '%%log.devid%%” and “%%log.devname%%' can be added for serial number and the device name.
  • '192.168.55.4' is the FTP server's IP. A port can also be specified. For example, 192.168.55.4:2323.
  • 'testuser' is the username of a user with read/write permissions on the FTP server.
  • 'testpassword' is the above user's password.

 

Note that the user and password that is defined in the automation stitch will be saved in clear text in FortiGate backup.

 

GUI example:
Go to Security Fabric -> Automation. In the Trigger section, select Schedule. In the Action section, select CLI Script.

  
Record the CLI script or upload it.
 
 
Once the action is triggered in the Security Fabric -> Automation, the page records the Last Triggered Time.
 
 

 

Important Note:

When the FTP server is known through an IPSec VPN:

 

An important point to keep in mind is a possible scenario where the FTP server used to store backups is in another location and it is reached by IPSec VPN.
In this case, the traffic generated by the FortiGate execution of commands will be announced with WAN or the MGMT IP by default. This traffic may not be allowed.
To solve this, it is necessary to configure an IP over the IPSec interface on Source FortiGate and allow this communication [Interface IPsec IP]->[FTP_Server] in encryption domains of VPN and Firewall policies on the Remote side.

 

Here is a diagram example:

 

Auto-backup.PNG

Configurations for this example:


FortiGate Source:


config vpn ipsec phase1-interface
    edit "To-DataCenter"
        set interface "port1"
        set peertype any
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 
        set remote-gw <DataCenter_Public_IP>
    next
end

config vpn ipsec phase2-interface
    edit "To-DataCenter_FTP"
        set phase1name "To-DataCenter"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
        set src-subnet 10.254.254.254 255.255.255.255
        set dst-subnet 192.168.55.0 255.255.255.0
    next
end

 

config system interface
    edit "To-DataCenter"
        set ip 10.254.254.254 255.255.255.255
        set type tunnel
        set interface "port1"
    next
end

config router static
    edit 0
        set dst 192.168.55.0 255.255.255.0
        set device "To-DataCenter"
    next
end

 

FortiGate Date Center: 

 

config vpn ipsec phase1-interface
    edit "To-Fortigate"
        set interface "port1"
        set peertype any
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 
        set remote-gw <FGT_Public_IP>
    next
end

config vpn ipsec phase2-interface
    edit "To-Fortigate_FTP"
        set phase1name "To-Fortigate"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
        set src-subnet 192.168.55.0 255.255.255.0
        set dst-subnet 10.254.254.254 255.255.255.255
    next
end

config router static
    edit 0
        set dst 10.254.254.254 255.255.255.255
        set device "To-Fortigate"
    next
end

config firewall address
    edit "To-Fortigate_remote_subnet_10.254.254.254"
        set subnet 10.254.254.254 255.255.255.255
    next
    edit "To-Fortigate_local_subnet_192.168.55.0/24"
        set subnet 192.168.55.0 255.255.255.0
    next
end

config firewall policy
    edit 0
        set name "FTP_AUTOBACKUP"
        set srcintf "To-Fortigate"
        set dstintf "port4"
        set srcaddr "To-Fortigate_remote_subnet_10.254.254.254"
        set dstaddr "To-Fortigate_local_subnet_192.168.55.0/24"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable 
    next
end

 

A recommendation for configuring a Linux machine for SFTP:

 

  1. Configure the IP address, subnet mask and gateway on the Linux machine from the GUI:

    Go to: 'Settings' -> 'Network' and configure the IP address, subnet mask and gateway, on the port which it is connected with the FortiGate.

    In this case, Kali Linux is chosen as a Linux machine. To connect the FortiGate with the Kali Linux, the following IP address is configured from the FortiGate: 10.108.20.123/20.

 

IP_Address_configuration_on_Kali_Linux.jpg

 

  1. Update the system on Kali Linux. In order to update the system, Internet connectivity and DNS resolution are needed in order to resolve: 'kali.org'. To set these up, perform the following steps:

    1. Create a Firewall Policy on the FortiGate. In this example, it is configured as below:

 

Firewall_Policy_from_Kali_Linux_toward_the_Internet.jpg

 

Port2 is used for Internet connectivity.

Port3 is used for the connection with the Kali Linux.

 

    1. As shown below, it is possible to ping 1.1.1.1 but it is not possible to resolve: 'kali.org':

 

Screenshot_3.jpg

 

In order to be able to resolve the domain, executed the following command:

 

Screenshot_4.jpg

 

After executing the above command, the following output is received. In the following output, write 'nameserver 1.1.1.1', as below:

 

Screenshot_5.jpg

 

To save the above output, press CTRL + O -> Enter. To exit, press CTRL + X.

 

After the above steps, 'kali.org' will be reachable and DNS will be able to resolve 'kali.org':

 

Screenshot_6.jpg

 

  1. Execute the following commands to update the system:

sudo apt update

sudo apt upgrade

 

  1. Run the following commands to install, enable, and start the SSH. SFTP relies on SSH to transfer files securely.

 

sudo apt install ssh

sudo systemctl enable ssh

   sudo systemctl start ssh

 

To check the status of SSH, run the following command:

 

sudo systemctl status ssh

 

  1. Run the following command to create an SFTP group where will users that will access files using SFTP will be added:

 

sudo addgroup sftp

 

Create a user or users that will have access to SFTP and write the password by running the following command:

 

sudo adduser user <- In this example, 'user' is the name of the user. 

 

New password: Fortinet

Retype new password: Fortinet

Full Name: Name Surname

 

Add the user or users that were just created to the SFTP group:

 

sudo usermod -a -G sftp user <- 'user' is the name of the user. 

 

Verify the SFTP group by running the following command:

 

grep sftp /etc/group
       

  1. Create a directory that users can access:

 

sudo mkdir -p /var/sftp/Files

 

Set the ownership of the directory to the root user:

 

sudo chown root:root /var/sftp

 

Change the access permissions of the directory by running the following command:

 

sudo chmod 755 /var/sftp

 

Allow access of the 'Files' directory to the user that was created by running the following command:

 

sudo chown user:user /var/sftp/Files<- 'user' in both cases is the name of the user. 

 

  1. Execute the following command to open the SSH configuration file:

 

sudo nano /etc/ssh/sshd_config   

 

Add the following script on the bottom of the SSH configuration file, as shown in the screenshot:

 

   Match User user
   ChrootDirectory /var/sftp
   X11Forwarding no
   AllowTcpForwarding no
   ForceCommand internal-sftp

 

Screenshot_7.jpg

 

To save the script, press CTRL + O -> Enter. To exit, press CTRL + X. In order to be sure that the script is saved, execute the following command again and go to the bottom of the script:

 

sudo nano /etc/ssh/sshd_config   

 

  1. Restart the SSH service with the following command:

 

sudo systemctl restart ssh 

 

  1. Check if the backup is transferred via SFTP after the scheduled time with the following command on the Linux machine:

 

find /var/sftp/Files -print -ls 

 

Screenshot_8.jpg

 

As shown in above screenshot, the backup configuration file is transferred successfully at the scheduled time on the Linux machine.