hello to you all,
I want to get regular backups using SCP But Fortinet doesn't seem to support backing up to SCP
=================================
FW # execute backup config ? ftp Backup config file to ftp server. management-station Backup config file to management station. tftp Backup config file to TFTP server. usb Backup config file to USB disk. usb-mode Backup config file for USB mode. FW # execute backup config
====================================
Firmware version is 5.2
-----------------------------
config system global
set admin-scp enable
-------------------------------
There is a SCP enable setting, but it seems to be unavailable for backup purposes.
Please let me know if there is a regular SCP backup method using FortiGate and other tools
Thanks.
There is basically a way to draw a backup via scp once admin-scp is enabled and ssh is allowed on the FGT's target interface.
You could use some scp client to do it.
With the onboard (Open)scp client in linux it works like this:
scp admin@<FortiGate_IP>:sys_config <target>
since the client initiates the scp transfer it would be on the client to set that up to run periodically. In Linu this can e.g. be done with a cronjob.
the fortigate could periodically do the opposite direction. It is capable to at least transfer a config to an ftp or tftp server. You could make this periodically by using it in a script that i scheduled.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Agreed
Do a search here and numerous examples are demo here. The sys_config is loose since anything with cfg in the name seems to work. Alternatives to SCP are the API interface and calling out the backup. Great for environments where ssh tcp/22 is blocked or not allowaccess.
Ken Felix
PCNSE
NSE
StrongSwan
Hello,
no matter which profile i assign to the user (read-write full, or read-all + system read-write as recommended in a recent article for v7.4.4+ ) , i am constantly getting a "501-permission denied" from the fortigate. I experience the same on 100F or 60F and no matter the version 7.2.11 or 7.4.8 (it was also doing the same behaviour with 7.0.xx , but was working in previous released 6.xx & earlier)
private key or password does not change the final answer.
the user can manually connect to the FGT and do various commands.
[adm@adminvm~]# scp -i /adm/.ssh/id_ed25519 -P 2222 backup_configuration@192.168.1.1:sys_config /backup/config-firewall-date.conf
501-Permission Denied
what i believe is that the config file name changed, or another setting.
set admin-scp is enabled yes
port interface is having SSH authorized yes
 
					
				
				
			
		
| User | Count | 
|---|---|
| 2678 | |
| 1412 | |
| 810 | |
| 703 | |
| 455 | 
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.