Best Practices – Backing up a configuration file using SCP

1 Reply

Backing up a configuration file using SCP

You can use secure copy protocol (SCP) to download the configuration file from the FortiGate unit as an alternative method of backing up the configuration file or an individual VDOM configuration file. This is done by enabling SCP for and administrator account and enabling SSH on a port used by the SCP client application to connect to the FortiGate unit. SCP is enabled using the CLI commands:

config system global set admin-scp enable

end

Use the same commands to backup a VDOM configuration by first entering the commands:

config global set admin-scp enable end

This entry was posted in Administration Guides, FortiGate, FortiOS 6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “Best Practices – Backing up a configuration file using SCP

  1. Adrian

    Hi Mike,

    Before anything, you have a great Fortinet website and YouTube channel.
    My question, as a newbie in the field of Fortinet, how I can do a scp backup ?

    Quote from your Best practices:

    config system global
    set admin-scp enable
    end

    Use the same commands to backup a VDOM configuration by first entering the commands:
    config global
    set admin-scp enable
    end

    I was working on a script on how to do the backup using scp and rancid:

    #! /bin/bash
    set -o pipefail
    set -o nounset
    set -o errexit
    umask 0077
    TO=60
    stty -echo
    read -e -s -p “PASSWORD: ” PASSWORD
    stty echo
    read -e -p “USER: ” USER
    read -e -p “DEVICE: ” DEVICE
    SSH_OPTS=”-q -oConnectTimeout=${TO}s -oStrictHostKeyChecking=no -oControlMaster=no -oControlPath=/dev/null”

    backup() {
    sshpass -p “${PASSWORD}” scp -p ${SSH_OPTS} “$USER@$DEVICE”:sys_config “${DEVICE}”.sys_config
    echo “${DEVICE}: Success”
    }
    echo “${DEVICE}: Checking ssh connectivity”
    sshpass -p “${PASSWORD}” ssh -t ${SSH_OPTS} “$USER@$DEVICE” exit && backup

    This script save only the global configuration of the FW, even though the FW has 3 VDOMs:
    – Global
    – Management
    – root

    Now, excuse me my stupidity if you can, but I don’t understand exactly the meaning of:
    ====
    Use the same commands to backup a VDOM configuration by first entering the commands:
    config global
    set admin-scp enable
    end
    ====

    Do I have to enable admin-scp twice to be able to perform a script backup that save the configuration of the FW with VDOMs ? Or the script save a full configuration having all the VDOMs once the admin-scp is enabled for config global ?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.