Hello everybody,
we did the backups of our Fortigate Firewalls with scp (pscp.exe -scp - batch -pw password user@0.0.0.0:fgt-config /target/folder) and a scheduled task on a Windows server.
This was working like a charm.
We upgraded one Firewall (60F) from FortiOS version 7.2.8 to version 7.4.4 and we recognized that the backup script is no longer working.
There is no error or anything like that - also if we execute it manually it looks like it is working but no file is stored in the target folder.
Were there any changes in 7.4.4 that scp is no longer working or is it a bug?
I can't find anything in the release notes. Connecting to the firewall via SSH is working as usual.
Any information on that or any hint to get it running again?
Thank you.
Best regards
René
Could it be that there was a windows server upgrade which caused the OpenSSH version to upgrade to 9.0 which uses SFTP by default instead of SCP? Fortigate, yet, does not support SFTP protocol.
You can check the OpenSSH version for windows using "ssh -V" on the command line.
Hi @RenePilz ,
The SCP should work in 7.4.4 : https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/702257#SCP
As mentioned by my colleague the issue might be due to the fact that OpenSSH is using version 9.0 and connects using SFTP protocol by default.
Workaround: use the -O flag to force openSSH to use the older scp protocol.
Best regards,
Thank you @fricci_FTNT and @mpapisetty.
We are using pscp the SCP client from Putty (version 0.81, also a previous version was not working) and not OpenSSH on the server directly - that means there is no OpenSSH 9.0 and with pscp there is also no -O option as far as I know.
Windows updates was installed but as we don't use OpenSSH it should be no issue I think.
Any other ideas?
I just tested with PSCP on my windows machine and can confirm that the backup works just fine. I would recommend you to try manually with verbose and logging enabled to see if that gives any hints.
Try this format -
pscp.exe -v -scp -sshrawlog log.txt -pw password user@0.0.0.0:fgt-config /target/folder
Review or attach the terminal output along with the log.txt to give a better idea on what the problem is. Hope this helps.
Also make sure the command enabling SCp is still present in the Fortigate config:
config system global
set admin-scp enable
end
We were also copying via scp using the read-only profile and after updating it started to fail.
When testing with a super_admin user it worked!
We created a custom profile with read and write in "Administrator users" and everything else in "none"
Dear,
Please check the backup. It was not complete.
Adjust the user permissions.
Regards
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1738 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.