Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FatalHalt
Contributor II

Backup over SCP

I' m trying to figure out how to backup over SCP. I' ve enabled ' admin-scp' in config sys global, but am now trying to actually figure out how to use it. Anyone able to get me started? Thanks.
3 Solutions
FatalHalt
Contributor II

Sorry to bump this thread, but been running into some issues. 

 

Is it just me, or are the backups you get from SCP not the full backup of the device? I've only just noticed this now that I'm doing some analytics on the files themselves, but they aren't even close to full. On one device, a full backup from the GUI gets me a file with 40,000 lines. A scp backup using sys_config is just shy of 2,200. It doesn't have any vdoms. It's almost useless. 

 

Is there a different command other than sys_config (or fgt-config) to get a proper, full backup?

View solution in original post

Elthon_Abreu

nbctcp wrote:

Ethon,

Can you please show me the steps

 

nbctcp,

 

I've attached the script for you. You can change according to your needs.

 

PS.: Script only for Windows OS.

Elthon Abreu FCNSA v5

View solution in original post

Elthon Abreu FCNSA v5
Elthon_Abreu

Holy,

 

I've used the Putty Key Generation (Looking in "ProgramFiles\PuTTY" If you have putty installed). There is a variable "Key" on the script file. To create the user "bkp" you can use the config below:

 

config system admin edit "bkpusr" set trusthost1 "backup IP address only - for best security" set vdom "root" set ssh-public-key1 "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAhIasKun...." set password ****** next end

 

Best regards

Elthon Abreu FCNSA v5

View solution in original post

Elthon Abreu FCNSA v5
31 REPLIES 31
Holy

Hello,

 

how to set a Password for a Backup user in this script?

 

thank you

 

 

elthon.abreu wrote:

nbctcp wrote:

Ethon,

Can you please show me the steps

 

nbctcp,

 

I've attached the script for you. You can change according to your needs.

 

PS.: Script only for Windows OS.

NSE 8 

NSE 1 - 7

 

NSE 8 NSE 1 - 7
Elthon_Abreu

Holy wrote:

Hello,

 

how to set a Password for a Backup user in this script?

 

thank you

 

 

elthon.abreu wrote:

nbctcp wrote:

Ethon,

Can you please show me the steps

 

nbctcp,

 

I've attached the script for you. You can change according to your needs.

 

PS.: Script only for Windows OS.

Holy,

 

I've used a *.pub key file for best security.

Elthon Abreu FCNSA v5

Elthon Abreu FCNSA v5
Holy

Hello,

 

thank you for the quick Answer.

 

and how can i do such *.pub key? and how do i set it Up for the Backup User to Authenticate?

 

Thank you in advance

 

elthon.abreu wrote:

Holy wrote:

Hello,

 

how to set a Password for a Backup user in this script?

 

thank you

 

 

elthon.abreu wrote:

nbctcp wrote:

Ethon,

Can you please show me the steps

 

nbctcp,

 

I've attached the script for you. You can change according to your needs.

 

PS.: Script only for Windows OS.

Holy,

 

I've used a *.pub key file for best security.

NSE 8 

NSE 1 - 7

 

NSE 8 NSE 1 - 7
Elthon_Abreu

Holy,

 

I've used the Putty Key Generation (Looking in "ProgramFiles\PuTTY" If you have putty installed). There is a variable "Key" on the script file. To create the user "bkp" you can use the config below:

 

config system admin edit "bkpusr" set trusthost1 "backup IP address only - for best security" set vdom "root" set ssh-public-key1 "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAhIasKun...." set password ****** next end

 

Best regards

Elthon Abreu FCNSA v5

Elthon Abreu FCNSA v5
Holy

Hello,

 

so in that case the user will use either ssh-public-key or password for authentication?

 

what if i want to use only password? what would be the Parameter to set in your script?

 

set=password ?

 

Thank you

 

 

elthon.abreu wrote:

Holy,

 

I've used the Putty Key Generation (Looking in "ProgramFiles\PuTTY" If you have putty installed). There is a variable "Key" on the script file. To create the user "bkp" you can use the config below:

 

config system admin edit "bkpusr" set trusthost1 "backup IP address only - for best security" set vdom "root" set ssh-public-key1 "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAhIasKun...." set password ****** next end

 

Best regards

NSE 8 

NSE 1 - 7

 

NSE 8 NSE 1 - 7
mike_dp
New Contributor

You should only use the public key.

 

Did anyone figure out how to get the whole config with SCP for multiple vDoms ?

I get the whole config of my FGTs that have only one vDom but I also have two 300D in cluster A-A with 2 vDoms and I only get the config of one vDom with either fgt-config or sys_config.

 

Thank you,

Fortigate : 80E, 80F, 100E, 200F, 300E : 6.4.6

FortiAnalyzer, ForticlientEMS

Fortigate : 80E, 80F, 100E, 200F, 300E : 6.4.6 FortiAnalyzer, ForticlientEMS
mike_dp

I got an answer from TAC. I have to use a read-write user in order to have the whole config with multiple vDoms. The read-only user doesn't have access to the global mode therefore can't get the whole config.

Fortigate : 80E, 80F, 100E, 200F, 300E : 6.4.6

FortiAnalyzer, ForticlientEMS

Fortigate : 80E, 80F, 100E, 200F, 300E : 6.4.6 FortiAnalyzer, ForticlientEMS
emnoc
Esteemed Contributor III

Will for me the fgt-config pulls the complete configs ( full ) with vdoms.

 

scp  <myuser>@1.1.1.1:fgt-config ./

 

So anything with fgt-config in the name will pull the full cfg.

 

e.g ( using fgt-config2  the 2 doesn't matter ;) )

 

 

scp -P 2022 admin@10.10.80.1:fgt-config2 ./ admin@10.10.80.1's password: fgt-config                                    100%  371KB  37.1KB/s   00:10 

 

 

So anything with  fgt-config or sys_config no matter what the spelling works.

 

 kfelix$ scp -P 2022 admin@10.10.80.1:custB/sys_config ./ admin@10.10.80.1's password: sys_config                                                            100%  371KB  33.7KB/s   00:11      

 kfelix$ scp -P 2022 admin@10.10.80.1:sys_config-blhblhlah  ./ admin@10.10.80.1's password: sys_config                                                            100%  371KB  37.1KB/s   00:10               

 

Ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
nbctcp
New Contributor III

I just done that using pscp in windows

https://nbctcp.wordpress....kup-config-using-pscp/

 

emnoc wrote:

Will for me the fgt-config pulls the complete configs ( full ) with vdoms.

 

scp  <myuser>@1.1.1.1:fgt-config ./

 

So anything with fgt-config in the name will pull the full cfg.

 

e.g ( using fgt-config2  the 2 doesn't matter ;) )

 

 

scp -P 2022 admin@10.10.80.1:fgt-config2 ./ admin@10.10.80.1's password: fgt-config                                    100%  371KB  37.1KB/s   00:10 

 

 

So anything with  fgt-config or sys_config no matter what the spelling works.

 

 kfelix$ scp -P 2022 admin@10.10.80.1:custB/sys_config ./ admin@10.10.80.1's password: sys_config                                                            100%  371KB  33.7KB/s   00:11    

 kfelix$ scp -P 2022 admin@10.10.80.1:sys_config-blhblhlah  ./ admin@10.10.80.1's password: sys_config                                                            100%  371KB  37.1KB/s   00:10            

 

Ken

http://goo.gl/lhQjmUhttp://nbctcp.wordpress.com
nbctcp
New Contributor III

IMHO both sys_config and fgt-config is not FULL BACKUP

Both sys_config and fgt-config are the same files

 

here how to test

in Forti CLI

# show full-configuration | grep ssh-public-key1         set ssh-public-key1 "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAhgCSKwiNYG7YDE0QUm2mefS8oq89dvms1+ArW/vRZ2j2AIl9a/NRMIK7whvUstVWD60HVWcGAlzpIYnCMZm3d82xifCJgSsi2QamWKzvHG27EPmn2KmXJTFdINcvK60tih89ebxGN3sPX3nv/LlyX5p3gmvcGyW019ipTEo5zFN0aMYSrkg5Xiuw3xFZhGYgNxRpSLNf1IwGcacTq+XMx58kic1QRNEnqgUrmIM1ODLpfaWm3ecq6NVTfa2UcIjPQXaweFpEgtViN5rtOi+z0oE7wm1RpbA+bM6vHeJHlBsigFqa/0Z9EY2DXtYwCM+IYzgXWF6zxtloAixDQrqi3w=="   I didn't get any "ssh-public-key1" result from  sys_config, fgt-config or (GUI/admin/Configuration/Backup) backup result  

QUESTIONS: 1. any other method to do full config backup

 

UPDATE1:

-this method got full backup

# execute backup full-config tftp clifull.bak 10.0.1.1

 

tq

http://goo.gl/lhQjmUhttp://nbctcp.wordpress.com
Top Kudoed Authors