Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pdelapena
Staff
Staff

Created on ‎03-01-2024 10:07 AM Edited on ‎04-29-2025 07:12 AM By Moderator

Article Id 302405

Troubleshooting Tip: SFTP configuration backup issues for FortiGate

Description This article describes several troubleshooting methods that can be followed when experiencing SFTP configuration backup issues in FortiGate.
Scope FortiGate.
Solution

Since v7.0.1, administrators now have the option to backup the configuration file using SFTP

 

When performing a manual SFTP backup config from the FortiGate CLI or when using the same command through a CLI script in an automation stitch fail, it is recommended to check the items listed in this article.

 

Example error for an unsuccessful backup attempt from FortiGate CLI due to wrong credentials:

 

1.png

 

The same error will show up for connectivity issues between FortiGate and the SFTP server, and if the users have insufficient privileges.

 

  1. Ensure successful connectivity between FortiGate and the SFTP server. A simple connectivity test can be performed by running telnet to the SFTP server's IP address and its SFTP port number:

execute telnet <IP address or domain name> <SFTP port#>

 

3.png

 

If the SFTP server cannot be reached by telnet, check the following:

  • Verify in the FortiGate if the route towards the destination is in place:

 

get router info routing-table details <SFTP IP address>

 

  • Confirm if the SFTP traffic is going out via the correct interface by simulating the backup while observing the packet sniffer.

 

diagnose sniff packet any 'host <SFTP IP address> and port <SFTP port#>' 4 0 l  

 

Simulate the traffic.

 

  • Track if the traffic is being blocked by any intermediary device (router, firewall, etc.) between the FortiGate and the SFTP server. Make sure that the SFTP service is allowed in the path to the SFTP server.

 

  1. Follow the correct syntax for SFTP configuration backup. Make sure that the correct username and password credentials are used for SFTP server access. Under the filename, add the directory where the file should be saved. If a custom port is being used for SFTP, the SFTP port number can be appended.

 

execute backup config sftp </directory/filename> <SFTP server>[<:SFTP port>] <username> <password>

 

Below is an example of CLI output for a successful attempt to create an SFTP configuration backup. The default SFTP port number is TCP port 22.

 

2.png

 

  1. The SFTP server user to be used in the config backup command should have sufficient privileges in the directory where the backup will be saved. This is very important, especially when the user to be used in this procedure is a non-root user. In this example, SolarWinds is employed as an SFTP server.

 

SolarwindsSFTP.JPG

 

Here are two scenarios where a non-root user 'testpau6' is being utilized for the SFTP configuration backup:

 

Scenario A:

User 'testpau6' serves as the owner of the /home/testpau6 directory. User permission for the /home/testpau6 directory is 'rwx', so the user 'testpau6' can successfully send backup config in that particular directory.

 

4.png

 

Successful backup of fgt.conf in the /home/testpau6 directory:

 

7.png

 

Scenario B: 

User 'testpau6' was added to the 'root' user group. user 'root' serves as the owner of the /backup directory and is also part of the 'root' user group. Group permission for the /backup directory is 'rwx', so the user 'testpau' can successfully send the backup config to that particular directory.

 

Adding user 'testpau' to the 'root' user group:

 

5.png
6.png

 

Successful backup of fgt.conf in the /backup directory:

 

8.png

 

  1. After confirming the user account permissions and backup path, if it is still showing the issue with a similar error message. Confirm the full backup path for the backup directory on the SFTP/TFTP server.

     

 

Output without the full backup path: 

 

execute backup full-config sftp FortigateBackup/test_backup.conf 10.10.10.1:3597 TestUser <password>
Please wait...
Connect to sftp server 10.10.10.1:3597 ...
Send config file to sftp server via vdom root failed.
Command fail. Return code -1

 

Output with the full backup path: 

 

execute backup full-config sftp /share/CACHEDEV1_DATA/FortigateBackup/test_backup.conf 10.10.10.1:3597 TestUser <password>
Please wait...
Connect to sftp server 10.10.10.1:3597 ...

Send config file to sftp server OK.

 

In some scenarios, backing up the configuration via SFTP with multiple available paths in the routing table may work through the CLI, however, it can fail with an error when executed through an automation stitch.
To work around this issue, create a more specific route to the SFTP server and ensure there is no asymmetric routing between the FortiGate and the SFTP server.

 

Note

FTP backup works without referencing the complete directory path but for SFTP/TFTP backup it would require the full path or it could have some issue connecting.

 

Refer to the below article for SFTP Backup via the IPsec site-to-site VPN: Technical Tip: Configure automation backup over IPsec-tunnel.

 

Related articles:

Technical Tip: Backup of configuration file from CLI using FTP

Technical Tip: How to send automated backups of the configuration from a FortiGate with an automatio...

Technical Tip: Automated configuration backups with variable names based on the date
6286
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.