Created on 03-11-2015 05:11 AM Edited on 09-18-2024 09:19 PM By Anthony_E
Description
Scope
Periodic backup allows recovery in the event of a unit failure, unit replacement or maintenance such as disk formatting, RAID rebuilding, or resetting configuration to the factory default.
In a planned (non-emergency) replacement or upgrade of a FortiAnalyzer, log aggregation (also known as log forwarding) from an old to a new unit is an alternative to using log restore.
Solution
Backing up Logs, Reports, and Settings (Configuration).
To back up both logs and associated DLP archive files:
execute backup logs <device name(s)| all> <ftp/sftp/scp> <ip> <user name> <password> <directory>
Examples to back up both logs and associated DLP archive files by Device Name.
execute backup logs FortiGate1 ftp 192.168.170.10 test1 test1 /
execute backup logs FortiGate2 ftp 192.168.170.10 test1 test1 /
To back up logs only:
execute backup logs-only <device name(s)| all> <ftp/sftp/scp> <ip> <user name> <password> <directory>
Examples to back up logs only by Device Name.
execute backup logs-only FortiGate1 ftp 192.168.170.10 test1 test1 /
execute backup logs-only FortiGate2 ftp 192.168.170.10 test1 test1 /
To Backup Reports:
execute backup reports <report name or all> <ftp/sftp/scp> <ip> <user name> <password> <directory>
Examples to back up Reportes only by Report Name:
<report name(s)> Report name(s) separated by ',' or 'all' for all reports.
all Backup all reports
<report name pattern> Backup reports with names containing given pattern.
A '?' matches any single character.
A '*' matches any string, including the empty string, e.g.:
foo : for exact match
*foo : for report names ending with foo
foo* : for report names starting with foo
*foo*: for report names containing foo substring
execute backup reports Test_Report ftp 192.168.170.10 test1 test1 /
execute backup reports Test_* ftp 192.168.170.10 test1 test1 /
To Backup the FortiAnalyzer Unit Settings to an FTP, SFTP, or SCP server:
When the unit settings are backed up from the vdom_admin account, the backup file contains global settings and the settings for each VDOM.
When the unit settings are backed up from a regular administrator account, the backup file contains the global settings and only the settings for the VDOM to which the administrator belongs.
execute backup all-settings {ftp | sftp} <ip> <string> <username> <password> <crptpasswd>
execute backup all-settings <scp> <ip> <string> <username> <ssh-cert> <crptpasswd>
To check the backup progress:
diagnose test app uploadd 6
Restoring Logs, Reports, and Settings (Configuration).
To restore FortiAnalyzer settings, it is recommended to do this before restoring logs.
This is to ensure that the quotas/log retention policy is properly set before the logs are restored.
To Restore FortiAnalyzer Unit Settings:
execute restore all-settings {ftp | sftp} <ip> <string> <username> <password> <crptpasswd>
execute restore all-settings <scp> <ip> <string> <username> <ssh-cert> <crptpasswd>
To Restore All Logs:
execute restore logs-only <device name(s)| all> <ftp/sftp/scp> <ip> <user name> <password> <directory>
Examples to back up logs only by Device Name.
execute restore logs-only FortiGate1 ftp 192.168.170.10 test1 test1 /
execute restore logs-only FortiGate2 ftp 192.168.170.10 test1 test1 /
To Restore Reports:
execute restore reports <report name or all> <ftp/sftp/scp> <ip> <user name> <password> <directory>
Examples to restore Reportes only by Report Name.
<report name(s)> Report name(s) separated by ',' or 'all' for all reports.
all Backup all reports
<report name pattern> Backup reports with names containing given pattern.
A '?' matches any single character.
A '*' matches any string, including the empty string, e.g.:
foo : for exact match
*foo : for report names ending with foo
foo* : for report names starting with foo
*foo*: for report names containing foo substring
execute restore reports Test_Report ftp 192.168.170.10 test1 test1 /
execute restore reports Test_* ftp 192.168.170.10 test1 test1 /
Example and verifying of the backup.
How to create the configuration backup from the GUI:
The logs are not included in this backup. Go under System Settings -> Dashboard -> System Information widget.
When the backup is successful, it is possible to find the MD5 hash from the System Settings -> Event Log.
Using the CLI:
execute backup all-settings ftp 10.109.21.220 / test1 test1
Starting backup all settings in background, please wait.
# Starting transfer the backup file to FTP server...
Transferred 139.237M of 139.237M in 0:00:00s (178.065M/s)
Backup all settings...Ok.
MD5: 635f75d00009242f37684cf0e6018b83
First, start the backup. The name of the backup is created by the system. When the backup is successful MD5 hash has been generated.
Then it is possible to use the native tools under Linux/GNU distributions and Windows as shown below to check the integrity of the file.
Under Windows Power shell:
PS C:\Users\fortinet\Downloads> Get-FileHash -Algorithm MD5 .\fmg_clibackup.dat
Algorithm Hash Path
--------- ---- ----
MD5 635F75D00009242F37684CF0E6018B83 C:\Users\fortinet\Downloads\f...
Under Linux:
# md5sum fmg_clibackup.dat > fmg_clibackup.dat.md5sum
# cat fmg_clibackup.dat.md5sum
635f75d00009242f37684cf0e6018b83 fmg_clibackup.dat
By enabling the encryption or disabling the encryption during the config file backup, the final checksum value will be different.
Note:
Since v. 7.4.2 in both FortiManager and FortiAnalyzer the backup is encrypted by default.
Related documents:
Technical Tip: Items included in the backup config file
Technical Note: How to check SQL Database rebuild progress on FortiAnalyzer
Technical Note: Forwarding logs between FortiAnalyzers
Technical Tip: How to migrate a FortiAnalyzer logs and config to a new system
Technical Tip: How to reduce FortiManager config backup size (.dat file)
Administration Guide: Backing up the system
Docs: Extended JSON API to support the FortiManager backup operation 7.2.3
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.