Restoring the local certificates – CLI
Connect to the CLI and use the following command:
execute vpn certificate local import tftp <filename> <tftp_ip>
Backup and restore a configuration file using SCP
You can use secure copy protocol (SCP) to download the configuration file from the FortiGate as an alternative method of backing up the configuration file or an individual VDOM configuration file. This is done by enabling SCP for and administrator account and enabling SSH on a port used by the SCP client application to connect to the FortiGate. SCP is enabled using the CLI commands:
config system global
set admin-scp enable
end
Use the same commands to backup a VDOM configuration by first entering the commands:
config global
set admin-scp enable end
config vdom
edit <vdom_name>
Enable SSH access on the interface
SCP uses the SSH protocol to provide secure file transfer. The interface you use for administration must allow SSH access.
To enable SSH – GUI:
1. Go to Network > Interfaces.
2. Select the interface you use for administrative access and select Edit.
3. In the Administrative Access section, select SSH.
4. Select OK.
To enable SSH – CLI:
config system interface edit <interface_name>
set allowaccess ping https ssh
end
When adding to, or removing a protocol, you must type the entire list again. For example, if you have an access list of HTTPS and SSH, and you want to add PING, typing:
set allowaccess ping
…only PING will be set. In this case, you must type…
set allowaccess https ssh ping
Using the SCP client
The FortiGate downloads the configuration file as sys_conf. Use the following syntax to download the file:
Linux
scp admin@<FortiGate_IP>:fgt-config <location>
Windows
pscp admin@<FortiGate_IP>:fgt-config <location>
The following examples show how to download the configuration file from a FortiGate-100D, at IP address
172.20.120.171, using Linux and Windows SCP clients.
Linux client example
To download the configuration file to a local directory called ~/config, enter the following command:
scp admin@172.20.120.171:fgt-config ~/config
Enter the admin password when prompted.
Windows client example
To download the configuration file to a local directory called c:\config, enter the following command in a
Command Prompt window:
pscp admin@172.20.120.171:fgt-config c:\config
Entr the admin password when prompted.
SCP public-private key authentication
SCP authenticates itself to the FortiGate in the same way as an administrator using SSH accesses the CLI. Instead of using a password, you can configure the SCP client and the FortiGate with a public-private key pair.
To configure public-private key authentication
1. Create a public-private key pair using a key generator compatible with your SCP client.
2. Save the private key to the location on your computer where your SSH keys are stored.
This step depends on your SCP client. The Secure Shell key generator automatically stores the private key.
3. Copy the public key to the FortiGate using the CLI commands:
config system admin edit admin
set ssh-public-key1 “<key-type> <key-value>” end
<key-type> must be the ssh-dss for a DSA key or ssh-rsa for an RSA key. For the <key-value>, copy the public key data and paste it into the CLI command.
If you are copying the key data from Windows Notepad, copy one line at a time and ensure that you paste each line of key data at the end of the previously pasted data. As well:
- Do not copy the end-of-line characters that appear as small rectangles in Notepad.
- Do not copy the —- BEGIN SSH2 PUBLIC KEY —- or Comment: “[2048-bit dsa,…]”
- lines.
- Do not copy the —- END SSH2 PUBLIC KEY —- line.
4. Type the closing quotation mark and press Enter.
Your SCP client can now authenticate to the FortiGate based on SSH keys rather than the administrator password.
Restoring a configuration using SCP
To restore the configuration using SCP, use the commands:
scp <local_file> <admin_user>@<FGT_IP>:fgt_restore_config
To use this command/method of restoring the FortiGate configuration, you need to log in as the “admin”
administrator.