Howto: Fortinet Pub Key Authentication for Backups

Posted 1003 days ago - Security

With FortiOS 3.0 MR3 and up, properly configured accounts can use secure copy (SCP) to download the configuration file from a FortiGate unit. This will provide a means to create daily backups of all the FortiGate configuration files you're responsible for maintaining.

First, ssh to the device and enable SCP functionality:

[user@l00nix ~]$ ssh admin@192.168.1.99
Password:

Fortigate-5001 # config system global 

Fortigate-5001 (global) # set admin-scp enable

Fortigate-5001 (global) # end

Fortigate-5001 # exit
Connection to 192.168.1.99 closed.
[user@l00nix ~]$

In order to automate the process for our Linux backup server the FortiGate will need to have the backup account's public key. After creating the "forticonfs" or whatever account on the backup server, creating a public/private keypair for the backup account (ssh-keygen -t rsa), log back into the FortiGate and issue the following commands:

[user@l00nix ~]$ ssh admin@192.168.1.99
Password:

Fortigate-5001 # config system admin

Fortigate-5001 (admin) # edit admin

Fortigate-5001 (admin) # set ssh-public-key1 "ssh-rsa ... forticonfs@backups.domain.com"

Fortigate-5001 (admin) # next

Fortigate-5001 (admin) # end

Fortigate-5001 # exit
Connection to 192.168.1.99 closed.
[user@l00nix ~]$

You'll need to replace the public key data with your own:

[root@backups001 ~]# cat /home/forticonfs/.ssh/id_rsa.pub
ssh-rsa BBB...yf3w== forticonfs@backups.domain.com
[root@backups001 ~]#

Now, perform a simple test to ensure everything's setup correctly:

[forticonfs@backups001 ~]$ mkdir forti-confs
[forticonfs@backups001 ~]$ scp admin@192.168.1.99:sys_config ~/forti-confs/5001.conf

sys_config                 100%  258KB 257.5KB/s   00:00

[forticonfs@backups001 ~]$ ls -lah ./forti-confs
-rw------- 1 forticonfs forticonfs 258K Aug 22 14:51 5001.conf
[forticonfs@backups001 ~]$

From here, the entire process can be stream lines via a cron-job. With a bash script, one could enumerate through a list of devices with a simple for loop. Run the job every night at mid-night and you've got a completely automated method for backing up your configs. Should anything go wrong with a device for any reason (hardware failure, screwed up config setting, whatever), restore the config from the nightly backups archive and you're a damn hero.

Anyone else have any interesting FortiGate tricks or tips they'd like to share? Send me an email or post a comment.

Word Count: 369

Tags: , , , ,

Click Here to Submit a Comment

Permalink / Last Modified:

Support Nullamatix.com:

E-mail Comment Facebook Del.icio.us Digg Reddit Technorati Furl

See Also:

  • 12/17/2007 -- Howto: Remote Desktop At Work, Evading A Firewall
    Excerpt: "A lot of organizations intentionally block remote desktop capabilities. With that in mind, please be aware that following the instructions in this post may lead to consequences depending on policies outlined within your organization. This guide will ..."
  • 05/11/2009 -- Chaos in The Enterprise – RIP Poisoning 101
    Excerpt: "At approximately 15:00:00 on Saturday, May 9th, 2009, one of our seven regional sites replaced their Nortel switch with a Cisco Switch. By 15:45:00, several hundred network monitor alerts made their way into my inbox (blackberry is going nuts). I ..."
  • 09/27/2010 -- Guest Submission: Howto Disable SSDP
    Excerpt: "SSDP - Simple Service Discovery Protocol - can actually turn out to be a disservice, if this protocol acts in the way pictured to the left. As you can see from the Wireshark capture, SSDP is causing some unnecessary congestion in my LAN; in fact, it's not ..."
  • 04/11/2010 -- Howto: XCache in a Lighttpd Chroot on Debian
    Excerpt: "Whether you're pressed for resources on a virtual/dedicated server, or simply looking for ways to improve web application performance, XCache is guaranteed to produce the desired result. Within minutes of installing XCache: page load times were cut in half, ..."

Leave a Reply