FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmanea
Staff
Staff
Description
This article describes how to enable SCP download/upload on the FortiGate unit and use typical SCP client programs.
A user can use the secure copy (SCP) protocol to download the configuration and  upload firmware file from FortiGate units running FortiOS 4.0 MR3 or later.

Solution
Step 1: Enable SCP:
From CLI:
# config system global
    set admin-scp enable
   end
Step 2: Enable SSH access on the interface.
- SCP uses SSH protocol to provide secure file transfer. The interface you use for administration must allow SSH access.
From GUI:
- Go to System -> Network -> Interface.
- Select the Edit icon for the interface use for administrative access.
- In the Administrative Access section, select the SSH check box.
- Select 'OK'.

From CLI: 
- Add ssh to the allowaccess setting.

# config system interface
edit <interface name>
 append allowaccess ssh
end

Step 3: Confirm FortiGate SSH Port.
- Default is ssh port 22. If you are using different SSH Port, you add "-P <SSH_Port>" to the SCP commands.
# show full-configuration | grep admin-ssh-port
Step 4: Now you can download or upload image and configuration to the FortiGate

To Backup FortiGate configuration use the SCP client.
The FortiGate unit configuration file name is sys_config. Use the following syntax to download the file:
Linux:
scp admin@<FortiGate_IP>:sys_config <location>
Windows:
pscp admin@<FortiGate_IP>:sys_config <location>

To restore configuration to FortiGate use the SCP client.
- FortiGate will reboot immediately after the file gets uploaded
- When uploading (restoring) configuration file to FortiGate, destination file name is fgt-restore-config. Use the following syntax to upload the file:
Windows:
pscp.exe -scp <path_to_config_file> admin@<FortiGate_IP>:fgt-restore-config
Manual firemware upgrade using SCP client

- FortiGate will reboot immediately after the file gets uploaded
- The FortiGate firmware file name is firmware.out. Use the following syntax to upload the file:

Linux:
scp <firmware.out> <admin-user>@<IP>:fgt-image
Windows:

pscp.exe -scp <firmware.out> <admin-user>@<IP>:fgt-image

Optional public-private key authentication

SCP authenticates itself to the FortiGate unit in the same way as an administrator using SSH to access the CLI. Instead of using a password, you can configure the SCP client and the FortiGate unit with a public-private key pair.

To configure public-private key authentication
Step by step:
- Create a public-private key pair using a key generator tool compatible with the SCP client.
- Save the private key to the location on the computer where the SSH private keys are stored.
This step depends on the SCP product. The SSH Secure Shell key generator automatically stores the private key. In the PuTTY Key Generator, you must manually save the private key.
- Copy the public key to the FortiGate unit. You do this in the FortiGate CLI, as follows:
- Enter

    # config system admin
        edit admin
            set ssh-public-key1 "<key-type> <key-value>"
    end

<key-type> must be ssh-dss for a DSA key or ssh-rsa for an RSA key. For <key-value>, you must copy the public key data and paste it into the CLI command.
If you are copying the key data from Windows Notepad, observe the following to copy the key data correctly:
- Copy one line at a time and make sure that the paste each line of key data at the end of the previously pasted data.
- Do not copy the end-of-line characters that appear as small rectangles in Notepad.
- Do not copy the ---- BEGIN SSH2 PUBLIC KEY ---- or Comment: "[2048-bit dsa,...]" lines.
- Do not copy the ---- END SSH2 PUBLIC KEY ---- line.
- Type the closing quotation mark and press Enter.
- Enter the end command.

The SCP client can now authenticate to the FortiGate unit based on SSH keys instead of an administrator password.

Examples of using SCP Client:

These examples show how to download the configuration file from a FortiGate unit at IP address 172.20.120.171, using Linux and Windows SCP clients.

Linux client example:
To download the configuration file to a local directory called ~/config, enter the following command:
Enter the admin password when prompted.

Windows client example:
To download the configuration file to a local directory called c:\config, enter the following command in a Command Prompt window:
Enter the admin password when prompted.

This example shows how to upload (restore) configuration file to a FortiGate unit with IP address 172.20.120.171, from Windows machine.
Enter the admin password when prompted.

These examples show how to upload the firmware file from a FortiGate unit at IP address 172.20.120.171, using Linux SCP clients.

Linux client example:
To upload the firmware file to a local directory called firmware.out, enter the following command:
Enter the admin password when prompted.
scp admin@172.20.120.171:sys_config ~/config

pscp admin@172.20.120.171:sys_config c:\config

pscp.exe -scp C:\Users\<configuration file> admin@172.20.120.171:fgt-restore-config

pscp.exe -scp -P 222 C:\Users\<configuration file> admin@172.20.120.171:fgt-restore-config
* When using Port 222 as SSH Port.

scp firmware.out admin@172.20.120.171:fgt-image

Contributors