Created on 11-04-2016 03:01 PM Edited on 08-20-2024 02:58 AM By Jean-Philippe_P
Description
This article explains how to send automated backups from a FortiGate to a TFTP/FTP or SFTP Server using an automated action and automation stitches, and also provides a recommendation for configuring a Linux machine.
Scope
Solution
The Automation Stitch is a feature of the Security Fabric.
To deploy it, configure automation-trigger, automation-action and automation-stitches.
CLI example:
In this example a trigger is scheduled to perform a daily backup at 23:58 to an FTP/SFTP server 192.168.55.4 (username testuser, password testpassword) into the directory 'Backup', naming the file backup.conf.
Step 1:
config system automation-trigger
edit "backup"
set trigger-type scheduled
set trigger-frequency daily <- Frequency of the action.
set trigger-hour 23 <- Hour of the triggered action.
set trigger-minute 58 <- Minute of the triggered action.
next
end
Step 2:
config system automation-action
edit "backup"
set action-type cli-script
set minimum-interval 0 <- Limit execution to no more than once in this interval (in seconds).
set delay 0 <- Delay before execution (in seconds).
set required enable
set script "execute backup config ftp /Backup/backup.conf 192.168.55.4 testuser testpassword"
next
end
Note: The following commands are available in 6.4 branch, but they are no longer available on higher branches, as 7.0.x, 7.2.x and 7.4.x:
set delay 0
set required enable
Starting from branch 7.0, if the above-stated commands are executed, the following error will show:
The available options in these versions are as follows:
If the FortiGate is configured with multiple VDOMs, configure the script line as below:
set script "config global
execute backup config ftp /Backup/backup.conf 192.168.55.4 testuser testpassword"
When using SFTP for transferring the backup and the FortiGate is configured with multiple VDOMs, the script above will change only the protocol, as below:
set script "config global
execute backup config sftp /Backup/backup.conf 192.168.55.4 testuser testpassword"
Step 3:
config system automation-stitch
edit "backup"
set status enable
set trigger "backup"
set action "backup"
next
end
Execute backup breakdown:
execute backup config ftp /Backup/backup.conf 192.168.55.4 testuser testpassword
Note:
If the script is manually run, 'execute backup config sftp /home/fortigate/backups/Backup%%date%%-%%log.devid%%.conf' would be saved as it is on the server. Try triggering the complete stitch, only then, the actual date and serial number for the FortiGate.
Refer to this KB article: Technical Tip: Explanation of Log Action Parameters in Automation Scripts
Note that the user and password that is defined in the automation stitch will be saved in clear text in FortiGate backup.
GUI example:
Go to Security Fabric -> Automation. In the Trigger section, select Schedule. In the Action section, select CLI Script.
Important Note:
When the FTP server is known through an IPSec VPN:
An important point to keep in mind is a possible scenario where the FTP server used to store backups is in another location and it is reached by IPSec VPN.
In this case, the traffic generated by the FortiGate execution of commands will be announced with WAN or the MGMT IP by default. This traffic may not be allowed.
To solve this, it is necessary to configure an IP over the IPSec interface on Source FortiGate and allow this communication [Interface IPsec IP]->[FTP_Server] in encryption domains of VPN and Firewall policies on the Remote side.
Here is a diagram example:
Configurations for this example:
FortiGate Source:
config vpn ipsec phase1-interface
edit "To-DataCenter"
set interface "port1"
set peertype any
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set remote-gw <DataCenter_Public_IP>
next
end
config vpn ipsec phase2-interface
edit "To-DataCenter_FTP"
set phase1name "To-DataCenter"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
set src-subnet 10.254.254.254 255.255.255.255
set dst-subnet 192.168.55.0 255.255.255.0
next
end
config system interface
edit "To-DataCenter"
set ip 10.254.254.254 255.255.255.255
set type tunnel
set interface "port1"
next
end
config router static
edit 0
set dst 192.168.55.0 255.255.255.0
set device "To-DataCenter"
next
end
FortiGate Date Center:
config vpn ipsec phase1-interface
edit "To-Fortigate"
set interface "port1"
set peertype any
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set remote-gw <FGT_Public_IP>
next
end
config vpn ipsec phase2-interface
edit "To-Fortigate_FTP"
set phase1name "To-Fortigate"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
set src-subnet 192.168.55.0 255.255.255.0
set dst-subnet 10.254.254.254 255.255.255.255
next
end
config router static
edit 0
set dst 10.254.254.254 255.255.255.255
set device "To-Fortigate"
next
end
config firewall address
edit "To-Fortigate_remote_subnet_10.254.254.254"
set subnet 10.254.254.254 255.255.255.255
next
edit "To-Fortigate_local_subnet_192.168.55.0/24"
set subnet 192.168.55.0 255.255.255.0
next
end
config firewall policy
edit 0
set name "FTP_AUTOBACKUP"
set srcintf "To-Fortigate"
set dstintf "port4"
set srcaddr "To-Fortigate_remote_subnet_10.254.254.254"
set dstaddr "To-Fortigate_local_subnet_192.168.55.0/24"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end
A recommendation for configuring a Linux machine for SFTP:
Port2 is used for Internet connectivity.
Port3 is used for the connection with the Kali Linux.
In order to be able to resolve the domain, executed the following command:
After executing the above command, the following output is received. In the following output, write 'nameserver 1.1.1.1', as below:
To save the above output, press CTRL + O -> Enter. To exit, press CTRL + X.
After the above steps, 'kali.org' will be reachable and DNS will be able to resolve 'kali.org':
sudo apt update
sudo apt upgrade
sudo apt install ssh
sudo systemctl enable ssh
sudo systemctl start ssh
To check the status of SSH, run the following command:
sudo systemctl status ssh
sudo addgroup sftp
Create a user or users that will have access to SFTP and write the password by running the following command:
sudo adduser user <- In this example, 'user' is the name of the user.
New password: Fortinet
Retype new password: Fortinet
Full Name: Name Surname
Add the user or users that were just created to the SFTP group:
sudo usermod -a -G sftp user <- 'user' is the name of the user.
Verify the SFTP group by running the following command:
grep sftp /etc/group
sudo mkdir -p /var/sftp/Files
Set the ownership of the directory to the root user:
sudo chown root:root /var/sftp
Change the access permissions of the directory by running the following command:
sudo chmod 755 /var/sftp
Allow access of the 'Files' directory to the user that was created by running the following command:
sudo chown user:user /var/sftp/Files<- 'user' in both cases is the name of the user.
sudo nano /etc/ssh/sshd_config
Add the following script on the bottom of the SSH configuration file, as shown in the screenshot:
Match User user
ChrootDirectory /var/sftp
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
To save the script, press CTRL + O -> Enter. To exit, press CTRL + X. In order to be sure that the script is saved, execute the following command again and go to the bottom of the script:
sudo nano /etc/ssh/sshd_config
sudo systemctl restart ssh
find /var/sftp/Files -print -ls
As shown in the above screenshot, the backup configuration file is transferred successfully at the scheduled time on the Linux machine.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.