The following steps should be followed for an existing Blob Storage to allow inbound SFTP connections:

Step 1: Enable SFTP support for Azure Blob Storage.

In the Azure portal, navigate to 'Storage Account -> Settings' and select 'SFTP'. Select 'Enable SFTP'.

Step 2: Configure access permissions for SFTP clients.

Create a local user. To access the SFTP endpoint, an identity called local user which can be secured with an Azure generated password or a secure shell (SSH) key pair must be associated with the storage account.

In the Azure portal, navigate to 'Storage Account' -> 'Settings' and select 'SFTP', then select 'Add local user'.

In the 'Add local user' configuration pane, add the 'username' and select an authentication method for this user. For this scenario, 'SSH Password' authentication method is selected.

Leave the other default options and navigate to the 'Permissions' pane, where a container should be selected or created if none available.

Assign the appropriate permissions to the container. For this scenario, 'All permissions' is selected and the other options are left as default.

Select 'Add' to add the local user.

Since password authentication method is selected for this user, a dialog box with the Azure generated password will appear after the local user has been added.

Note: Make sure to save this password locally, as it cannot be retrieved later.

Navigate to 'Storage Account -> Settings' and select 'SFTP' again. Copy the Connection string of this user locally.

Replace the <CONTAINER_NAME> field with the proper container name, which in this scenario is called 'testcontainer'.

The output should look similar to 'edteststorage2024.edtestcontainer.edtestuser@edteststorage2024.blob.core.windows.net'.

Step 3: Connect to the Azure Blob Storage by using an SFTP Client.

Note: If the connection source is from an on-premises network, make sure that the outgoing communication through 'port 22 is allowed.

Use the following script in the FortiGate's CLI to send the backup configuration file to the Blob Storage:

# execute backup full-config sftp %%log.devname%%-%%date%%.cfg edteststorage2024.blob.core.windows.net:22 edteststorage2024.edtestcontainer.edtestuser xxxxxxxxxx

Where:

• 'execute backup full-config' will back up the current saved configuration.
• 'sftp' specifies the transfer protocol used.
• '%%log.devname%%-%%date%%.cfg' specifies the variables used to name the backup file with current device name and date stamp.
• 'edteststorage2024.blob.core.windows.net' specifies the storage path --> second part of the connection string after the @ symbol.
• ':22' is the SFTP connection port.
• 'edteststorage2024.edtestcontainer.edtestuser' specifies the username --> first part of the connection string before the @ symbol.
• 'xxxxxxxxxx' is the SSH password for this user.

The output of the script:

Note: If the script is manually run, the variables mentioned above will not be converted to the actual device name and date stamp. For them to take effect, an Automation Stitch needs to be created in the FortiGate.

Refer to this article on how to send automated backups of the FortiGate configuration via an Automation Stitch: 

How to send automated backups of the configuration from a FortiGate with an automation stitch 

Note: If an error is received when applying the script on the CLI, it is recommended to test this connection via an SFTP client such as WinSCP or FileZilla , in order to be sure the Azure configuration part is correct.

After the Automation Stitch with a daily automated backup at 11:59PM is configured, a similar output should be visible in the Container: