- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNDR
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Technical Tip: How to download a FortiGate configu...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Description
Solution
Step 1: Enable SCP:
From CLI:
- SCP uses SSH protocol to provide secure file transfer. The interface you use for administration must allow SSH access.
From GUI:
Linux:
Optional public-private key authentication
SCP authenticates itself to the FortiGate unit in the same way as an administrator using SSH to access the CLI. Instead of using a password, you can configure the SCP client and the FortiGate unit with a public-private key pair.
To configure public-private key authentication
Step by step:
- Create a public-private key pair using a key generator tool compatible with the SCP client.
- Save the private key to the location on the computer where the SSH private keys are stored.
This step depends on the SCP product. The SSH Secure Shell key generator automatically stores the private key. In the PuTTY Key Generator, you must manually save the private key.
- Copy the public key to the FortiGate unit. You do this in the FortiGate CLI, as follows:
- Enter
# config system admin
edit admin
set ssh-public-key1 "<key-type> <key-value>"
end
This article describes how to enable SCP download/upload on the FortiGate unit and use typical SCP client programs.
A user can use the secure copy (SCP) protocol to download the configuration and upload firmware file from FortiGate units running FortiOS 4.0 MR3 or later.
Solution
Step 1: Enable SCP:
From CLI:
# config system globalStep 2: Enable SSH access on the interface.
set admin-scp enable
end
- SCP uses SSH protocol to provide secure file transfer. The interface you use for administration must allow SSH access.
From GUI:
- Go to System -> Network -> Interface.
- Select the Edit icon for the interface use for administrative access.
- In the Administrative Access section, select the SSH check box.
- Select 'OK'.
From CLI:
- Add ssh to the allowaccess setting.- Select the Edit icon for the interface use for administrative access.
- In the Administrative Access section, select the SSH check box.
- Select 'OK'.
From CLI:
# config system interfaceedit <interface name>append allowaccess sshend
Step 3: Confirm FortiGate SSH Port.
- Default is ssh port 22. If you are using different SSH Port, you add "-P <SSH_Port>" to the SCP commands.
- Default is ssh port 22. If you are using different SSH Port, you add "-P <SSH_Port>" to the SCP commands.
# show full-configuration | grep admin-ssh-port
Step 4: Now you can download or upload image and configuration to the FortiGate
To Backup FortiGate configuration use the SCP client.
The FortiGate unit configuration file name is sys_config. Use the following syntax to download the file:
Linux:
To restore configuration to FortiGate use the SCP client.
- FortiGate will reboot immediately after the file gets uploaded
- When uploading (restoring) configuration file to FortiGate, destination file name is fgt-restore-config. Use the following syntax to upload the file:
Windows:
The FortiGate unit configuration file name is sys_config. Use the following syntax to download the file:
Linux:
scp admin@<FortiGate_IP>:sys_config <location>Windows:
pscp admin@<FortiGate_IP>:sys_config <location>
- FortiGate will reboot immediately after the file gets uploaded
- When uploading (restoring) configuration file to FortiGate, destination file name is fgt-restore-config. Use the following syntax to upload the file:
Windows:
pscp.exe -scp <path_to_config_file> admin@<FortiGate_IP>:fgt-restore-configManual firemware upgrade using SCP client
- FortiGate will reboot immediately after the file gets uploaded
- The FortiGate firmware file name is firmware.out. Use the following syntax to upload the file:
Linux:
scp <firmware.out> <admin-user>@<IP>:fgt-image
Windows:
pscp.exe -scp <firmware.out> <admin-user>@<IP>:fgt-image
SCP authenticates itself to the FortiGate unit in the same way as an administrator using SSH to access the CLI. Instead of using a password, you can configure the SCP client and the FortiGate unit with a public-private key pair.
To configure public-private key authentication
Step by step:
- Create a public-private key pair using a key generator tool compatible with the SCP client.
- Save the private key to the location on the computer where the SSH private keys are stored.
This step depends on the SCP product. The SSH Secure Shell key generator automatically stores the private key. In the PuTTY Key Generator, you must manually save the private key.
- Copy the public key to the FortiGate unit. You do this in the FortiGate CLI, as follows:
- Enter
# config system admin
edit admin
set ssh-public-key1 "<key-type> <key-value>"
end
<key-type> must be ssh-dss for a DSA key or ssh-rsa for an RSA key. For <key-value>, you must copy the public key data and paste it into the CLI command.
If you are copying the key data from Windows Notepad, observe the following to copy the key data correctly:
- Copy one line at a time and make sure that the paste each line of key data at the end of the previously pasted data.
- Do not copy the end-of-line characters that appear as small rectangles in Notepad.
- Do not copy the ---- BEGIN SSH2 PUBLIC KEY ---- or Comment: "[2048-bit dsa,...]" lines.
- Do not copy the ---- END SSH2 PUBLIC KEY ---- line.
- Type the closing quotation mark and press Enter.
- Enter the end command.
The SCP client can now authenticate to the FortiGate unit based on SSH keys instead of an administrator password.
Examples of using SCP Client:
These examples show how to download the configuration file from a FortiGate unit at IP address 172.20.120.171, using Linux and Windows SCP clients.
Linux client example:
To download the configuration file to a local directory called ~/config, enter the following command:
Enter the admin password when prompted.
Windows client example:
To download the configuration file to a local directory called c:\config, enter the following command in a Command Prompt window:
Enter the admin password when prompted.
This example shows how to upload (restore) configuration file to a FortiGate unit with IP address 172.20.120.171, from Windows machine.
Enter the admin password when prompted.
These examples show how to upload the firmware file from a FortiGate unit at IP address 172.20.120.171, using Linux SCP clients.
Linux client example:
To upload the firmware file to a local directory called firmware.out, enter the following command:
Enter the admin password when prompted.
If you are copying the key data from Windows Notepad, observe the following to copy the key data correctly:
- Copy one line at a time and make sure that the paste each line of key data at the end of the previously pasted data.
- Do not copy the end-of-line characters that appear as small rectangles in Notepad.
- Do not copy the ---- BEGIN SSH2 PUBLIC KEY ---- or Comment: "[2048-bit dsa,...]" lines.
- Do not copy the ---- END SSH2 PUBLIC KEY ---- line.
- Type the closing quotation mark and press Enter.
- Enter the end command.
The SCP client can now authenticate to the FortiGate unit based on SSH keys instead of an administrator password.
Examples of using SCP Client:
These examples show how to download the configuration file from a FortiGate unit at IP address 172.20.120.171, using Linux and Windows SCP clients.
Linux client example:
To download the configuration file to a local directory called ~/config, enter the following command:
Enter the admin password when prompted.
Windows client example:
To download the configuration file to a local directory called c:\config, enter the following command in a Command Prompt window:
Enter the admin password when prompted.
This example shows how to upload (restore) configuration file to a FortiGate unit with IP address 172.20.120.171, from Windows machine.
Enter the admin password when prompted.
These examples show how to upload the firmware file from a FortiGate unit at IP address 172.20.120.171, using Linux SCP clients.
Linux client example:
To upload the firmware file to a local directory called firmware.out, enter the following command:
Enter the admin password when prompted.
scp admin@172.20.120.171:sys_config ~/config
pscp admin@172.20.120.171:sys_config c:\config
pscp.exe -scp C:\Users\<configuration file> admin@172.20.120.171:fgt-restore-config
pscp.exe -scp -P 222 C:\Users\<configuration file> admin@172.20.120.171:fgt-restore-config* When using Port 222 as SSH Port.
scp firmware.out admin@172.20.120.171:fgt-image
Labels:
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2023 Fortinet, Inc. All Rights Reserved.