FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Benoit_Rech_FTNT

Purpose

 

The purpose of this article is to explain how to backup the FortiGate Configuration with Kiwi CatTools, starting with FortiOS 4.0 MR3 Patch11 (4.2.11) and FortiOS 4.0 MR3 Patch4 (4.3.4).


Scope

 

Starting from FortiOS 4.0 MR2 Patch11 (4.2.11) and FortiOS 4.0 MR3 Patch4 (4.3.4), Kiwi CatTools is not able to parse the configuration fetched from the FortiGate.

The error "Failed to receive '#config' line in device config file" is returned.

This is because Kiwi CatTools relies on "show" and "show full-configuration" commands to backup the configuration, which is not the method recommended by Fortinet.

With older firmware releases, typing "show" in the CLI will return the first 3 or 4 (depending on the firmware version) "header lines", of which the first starts with #config-version ...

Fortinet recommends to use the "exec backup" CLI command to perform backups.


Diagram

Expectations, Requirements

    • FortiOS 4.0 MR2 Patch 11 (4.2.11) or later
    • FortiOS 4.0 MR3 Patch 4 (4.3.4) or later


Configuration

According to the Kiwi documentation, it is recommended to backup configuration files by using the "Device.Backup.Running_config" activity.  However, this command uses a "show" or a "show full-configuration" command on the FortiGate, which does not work as expected on the FortiGate, starting from FortiOS 4.2.11 and FortiOS 4.3.4.

The solution is to use the "Device.Backup.TFTP" activity. The full documentation of this activity is available at the following URL:

http://www.kiwisyslog.com/help/cattools/index.html?act_devbackupftp.htm

Basically, it will

1) Connect to the FortiGate, using telnet or ssh

2) Execute "exec backup tftp ....." on the FortiGate

The 'File to write to TFTP server' field must be configured in the activity Options tab; for example "config" or alternatively "full-config".