Technical Tip: Security Fabric Backup using Automation Stich causing overwritten file

npaiva · ‎12-17-2024

Description

This article describes, that In a Security Fabric, when using an Automation Stich to perform backups over FTP/TFTP/SFTP, the network administrator might run into an issue, where the backups performed do not have a unique name, and therefore the units in the security fabric overwrite the file at the server.

Scope

FortiOS.

Solution

Configuration:

config system automation-action
edit "backup"
set action-type cli-script
set script "execute backup config ftp %%date%%.conf 192.168.1.28 fortinet fortinet"
set execute-security-fabric enable
set accprofile "super_admin"
next
end

config system automation-trigger
edit "min22"
set trigger-type scheduled
set trigger-frequency hourly
set trigger-minute 35
next
end

config system automation-stitch
edit "backup"
set trigger "min22"
config actions
edit 1
set action "backup"
set required enable
next
end
next
end

When this stitch runs, the same exact filename will be generated, in the format YYYY-MM-DD.conf, so all the appliances will overwrite the file at the FTP server.

Example Fabric Root:

2024-12-16 15:22:08 0: set script "execute backup config ftp 2024-12-16.conf 192.168.1.28 fortinet fortinet"
2024-12-16 15:22:08 0: end
2024-12-16 15:22:08 __action_cli_script_open()-186: cli script action:backup is called. svc ctx:0x114599e0
accprof:super_admin script:
execute backup config ftp %%date%%.conf 192.168.1.28 fortinet fortinet

2024-12-16 15:22:09 [show_walker_construct:84] open('/tmp/system.conf.3136.gS0tYi) to save config of 'global'
2024-12-16 15:22:09 0: execute backup config ftp 2024-12-16.conf 192.168.1.28 fortinet fortinet
2024-12-16 15:22:10 __cli_script_close()-121: cli script:
autod.0
output:
########## script name: autod.0 ##########

========== #1, 2024-12-16 15:22:08 ==========
delorean-kvm36 $ execute backup config ftp 2024-12-16.conf 192.168.1.28 fortinet fortinet

Connect to ftp server 192.168.1.28 ...
Please wait...
Send config file to ftp server OK.

Example Fabric downstream member:

2024-12-16 15:22:07 0: set script "execute backup config ftp 2024-12-16.conf 192.168.1.28 fortinet fortinet"
2024-12-16 15:22:07 0: set output-size 0
2024-12-16 15:22:07 0: end
2024-12-16 15:22:07 __action_cli_script_open()-186: cli script action:backup is called. svc ctx:0x10221e00
accprof: script:
execute backup config ftp %%date%%.conf 192.168.1.28 fortinet fortinet

2024-12-16 15:22:07 pid:2055-__handle_msg()-414: Subscriber:4 received package. pubid:1 pkgid:3304 pkg_index:127
2024-12-16 15:22:07 pid:2055-__handle_pkg_logs()-356: Subscriber:4 processing package size:3562 logs:3 pickup:1
2024-12-16 15:22:07 pid:2055-__subscr_close_cur_pkg()-140: close package size:3562 logs:3
2024-12-16 15:22:08 [show_walker_construct:84] open('/tmp/system.conf.20689.3ZpyhA) to save config of 'global'
2024-12-16 15:22:08 0: execute backup config ftp 2024-12-16.conf 192.168.1.28 fortinet fortinet
2024-12-16 15:22:08 __cli_script_close()-121: cli script:
autod.0
output:
########## script name: autod.0 ##########

========== #1, 2024-12-16 15:22:07 ==========
jaguar-kvm13 $ execute backup config ftp 2024-12-16.conf 192.168.1.28 fortinet fortinet

Connect to ftp server 192.168.1.28 ...
Please wait...
Send config file to ftp server OK.

To overcome this issue, it is possible to use a variable that makes the filename unique, like the hostname of the device (devname):

config system automation-action
edit "backup"
set action-type cli-script
set script "execute backup config ftp %%devname%%-%%date%%.conf 192.168.1.28 fortinet fortinet"
set execute-security-fabric enable
set accprofile "super_admin"
next
end

With this configuration, both the hostname and date will be appended to the file:

Fabric Root:

2024-12-16 15:35:08 0: set script "execute backup config ftp delorean-kvm36-2024-12-16.conf 192.168.1.28 fortinet fortinet"
2024-12-16 15:35:08 0: end
2024-12-16 15:35:08 __action_cli_script_open()-186: cli script action:backup is called. svc ctx:0x1159a260
accprof:super_admin script:
execute backup config ftp %%devname%%-%%date%%.conf 192.168.1.28 fortinet fortinet

2024-12-16 15:35:09 0: execute backup config ftp delorean-kvm36-2024-12-16.conf 192.168.1.28 fortinet fortinet
2024-12-16 15:35:09 pid:2070-__handle_msg()-414: Subscriber:4 received package. pubid:1 pkgid:133 pkg_index:126
2024-12-16 15:35:09 pid:2070-__handle_pkg_logs()-356: Subscriber:4 processing package size:939 logs:2 pickup:2
2024-12-16 15:35:09 pid:2070-__subscr_close_cur_pkg()-140: close package size:939 logs:2
2024-12-16 15:35:10 __cli_script_close()-121: cli script:
autod.6
output:
########## script name: autod.6 ##########

========== #1, 2024-12-16 15:35:08 ==========
delorean-kvm36 $ execute backup config ftp delorean-kvm36-2024-12-16.conf 192.168.1.28 fortinet fortinet

Connect to ftp server 192.168.1.28 ...
Please wait...
Send config file to ftp server OK.

Example Fabric downstream member:

2024-12-16 15:35:07 0: set script "execute backup config ftp jaguar-kvm13-2024-12-16.conf 192.168.1.28 fortinet fortinet"
2024-12-16 15:35:07 0: set output-size 0
2024-12-16 15:35:07 0: end
2024-12-16 15:35:07 __action_cli_script_open()-186: cli script action:backup is called. svc ctx:0x101efe90
accprof: script:
execute backup config ftp %%devname%%-%%date%%.conf 192.168.1.28 fortinet fortinet

2024-12-16 15:35:07 pid:2055-__handle_msg()-414: Subscriber:4 received package. pubid:1 pkgid:3325 pkg_index:127
2024-12-16 15:35:07 pid:2055-__handle_pkg_logs()-356: Subscriber:4 processing package size:1172 logs:1 pickup:1
2024-12-16 15:35:07 pid:2055-__subscr_close_cur_pkg()-140: close package size:1172 logs:1
2024-12-16 15:35:08 0: execute backup config ftp jaguar-kvm13-2024-12-16.conf 192.168.1.28 fortinet fortinet
2024-12-16 15:35:08 __cli_script_close()-121: cli script:
autod.6
output:
########## script name: autod.6 ##########

========== #1, 2024-12-16 15:35:07 ==========
jaguar-kvm13 $ execute backup config ftp jaguar-kvm13-2024-12-16.conf 192.168.1.28 fortinet fortinet

Connect to ftp server 192.168.1.28 ...
Please wait...
Send config file to ftp server OK.