How to Automate FortiGate Firewall Backups to Remote Storage?

Introduction:

Fortinet Fortigate firewalls are one of the best firewalls out there, it’s not unusual that you might have one that is up and running right now, serving your home network or business network.

You might be using Fortigate Firewall for several use cases, depending on your needs, however, it needs some configurations for it to be working as you expect it to.

With that being said, regular backups for Fortigate configurations are crucial to insure consistency and convenience and minimize headaches 

Why Would You Automate Fortigate Firewall Backup?

Having to manually backup the configuration of your firewall is a time consuming task and you probably won’t stick to the schedule you put for yourself, this applies also for mostly every backup of anything.

So it’s always recommended to automate as many tasks as you can, to reduce the manual work and get it done automatically.

What Do You Need to Establish Automatic Backup for Fortigate Firewall?

Well, you need a Fortigate Firewall in the first place with admin access, also you need a remote storage that’s available on your Local Network or through VPN, the Storage has to be accessible from the Fortigate.

Also you need to enable or install FTP server on the Remote Storage. I will be using FTP protocol to Upload  the backup file on the Remote Storage. But ideally, using SFTP for more secure connection is recommended.

In this Guide, I will be using Qnap NAS with FTP Server Enabled on it.

But feel free to install FTP Server on any machine ( e.g. Windows. Linux,some FTP cloud storage,  etc.. ), but make sure you know the Local IP Address or domain of the FTP Server and its credentials.

Let’s Setup FortiGate Backup:

Step 1 – Setup FTP on The Remote Storage:

First, we need to ensure that we have some kind of storage and enable FTP server on this Storage and provide a username and a password.

In this example, I will be using a NAS Storage with FTP already enabled.

Login to the nas storage web portal and open FTP services:

Then, make sure the FTP Server is enabled :

* you can enable SFTP for secure connection (especially if your Storage is Exposed to the public internet)

Next, create a user on your NAS, this user credentials will be used by the firewall to connect through FTP:

I will name it “test” with password “test1234”, but you should name it something related to the firewall:

Now, if you don’t have a specific folder inside your NAS for the Firewall Backup, you can create one:

Name it something related to the Firewall Backup:

Then, Make sure that you give the new user you created earlier that read/write permissions for this folder:

Now, click “Next”, then “Finish” to create the folder.

Step 2 – Login to Your FortiGate Admin Portal:

Enter the IP Address of your Fortigate (Usually i’s the same as the Default Gateway) in your browser, then login with admin credentials:

Then, head to the section “Security Fabric” > “Automation” :

Step 3 – Schedule Automatic Backup on FortiGate:

Now, we need to create new automation and enable it.

This automation will be scheduled, and it will execute a backup cli command to send a backup file to the remote FTP server.

On the “Automation” Section, create new Automation:

Give it a Name, for Example “Backup Job”:

In the “Trigger” Section, you can choose different events that will run this job, I will be choosing “Schedule”, then choose the time which you want the backup to run:

In the “Action” Section, choose “CLI Script”, we will enter a CLI Command that will be executed on the schedule:

Give it a Name for the script, then in the Script field, enter the following CLI Command:

execute backup config ftp <file name> <remote storage ip> <username> <password>

The <file name> should be the full path of the shared folder plus the backup file name.

In this example: the full path is /Firewall_Backup and the backup file name is Backup.conf, so the full name will be /Firewall_Backup/Backup.conf.

Finally, review your configurations, then click “OK” to save the Automation:

Step 4 – Enable Email Notification After the Backup is Done ( Optional ):

Additionally, you can enable email notifications, but first we need to make sure the email service is enabled on your fortigate.

On the left menu, head to “System” > “settings”, then scroll down to “Email Service”, you can use a custom settings if you have your own email that will send email notifications, otherwise keep using the Fortinet email notification SMTP Server:

Then, click “Apply”.

On the Automation Configurations, select also “Email” in the “Action” Section:

Now scroll down to the “Email” Section and you can enter the recipient email address that will receive the notifications.

Additionally, you can add and modify the subject and the body:

You can add more variable to the Email body such as %%log%% and %%results%%

Conclusion:

In this guide, I have demonstrated automating the backup of Fortigate Firewall, this is one of the essential steps to ensure that your network configurations backup is in place and you can enjoy a peace of mind knowing that the configurations are stored on your storage.

Additionally, if you are using Qnap NAS as a storage, it’s a great idea to backup your NAS data.