Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rain
Staff
Staff

Created on ‎02-27-2025 08:33 AM

Article Id 379397

Troubleshooting Tip: 'connection error' trying to connect and execute a Backup on the FortiGate from a Third Party backup software

Description This article describes how to evade a connection/authentication error using a Third Party trying to connect to the FortiGate, execute a backup and a 'Connection error' or 'Authentication error' shows on them even if the User and password are correct.
Scope FortiGate.
Solution

Softwares that tries to execute a backup on the FortiGate commonly follows simple actions or scripts that follow the next logic and steps generally:

 

  1. Attempts to connect and execute an SSH session (Using port 22 by default or another customizable).
  2. After communication is established, the software will try to execute an authentication (typing a Username and Password).
  3. After the communication is successful, the software will execute a 'show full configuration' (or another command on a script) to extract all the configurations of the FortiGate.
  4. After the full configuration is shown on the SSH session, the software will save this session as a 'Backup File' of the configurations.
  5. Close the session.

 

After completing this process from steps 2 to 3, the software will try to execute the script, and if it does not follow the steps shown before in a 'clean' way, the software may show a 'Connection error' or an 'authentication error' message. This article will explain the 'clean' term later.

 

If an error of this nature is experienced, take the following steps:

 

  • Consider having a 'clean' 2-way communication between the software session and the FortiGate to have a successful execution of the script. This means that if there is a feature activated like a 'Login disclaimer', this will be a new step that the software will not recognize inside of the script. To 'pass', the disclaimer login (post login) is needed to 'click' on accept (GUI post login) or type 'a' to accept (using SSH) and continue.

 

KBBB06.png

 

If this is the case, enable and disable this configuration using the next command:

 

config system global
    set pre-login-banner enable
    set post-login-banner enable
end

 

To avoid this issue, disable this feature to avoid any barrier that could interrupt or stop a correct flow of communication and also execute the internal script of the software.

 

Another issue is the use of 2FA on the user-created to access the session. This is also because the plane script this software uses does not (usually) have the capacity to identify a code sent to the user email. Additionally, avoid using 2FA.
105
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.