Bulk Fortigate configuration backup
Continuing on from the previous post with bulk management of firewalls, in particular Fortigates. The following shows a basic script which after enabling SCP transfers on your device, utilizes pscp.exe to backup multiple Fortigate firewall configs.
This script gets the current date, creates a folder under your Backup Path with the date, connects to each firewall in your CSV file (just as the previous post) and uses pscp.exe to backup the config file (fgt-config). It then renames the fgt-config output file to the IP of your firewall and appends the date to the file name. I am utilizing the echo y command at the front of the command to accept the untrusted certificate error at first connection. In a production environment you may wish to re-evaluate this option!
Note, while the transcript option is present, due to a bug in PowerShell you do not get a whole lot of info out of running cmd applications from PowerShell. I’ll look at a work around for this and update in the near future.
————————————————————————————
$Firewalls = get-content .\firewalls.csv
$Date = Get-Date -Format “dd-MM-yyyy”
$Username = “firewallusername”
$Password = “firewallpassword”
$BackupPath = “E:\Firewall-Config-Backups”
New-Item $BackupPath\$Date\ -type directory
Start-Transcript -path $BackupPath\$Date\$Date.log -append
foreach ($Firewall in $Firewalls){
echo y | .\pscp.exe -l $Username -pw $Password -v “$Firewall::fgt-config” $BackupPath\$Date\ | out-host -verbose
rename-item -path $BackupPath\$Date\fgt-config -newname $BackupPath\$Date\$Firewall-$Date.conf
}
Stop-Transcript
————————————————————————————
Here’s what your final screen output should look like:
5 Responses to “Bulk Fortigate configuration backup”
Trackbacks / Pingbacks
- March 17, 2015 -
SCP is enable on my fortigate but with I run this script I get “Protocol error: Expected control record”
If I run (pscp admin@192.168.1.1:fgt-config c:\Firewall-Config-Backups\config.conf) from cmd it works. Any suggestions?
Thank you for your time.
I found my mistake.
Hi Brandon, what was your mistake? I am experiencing the same issue.
Hi Mark,
not sure how you got on but I came across same issue. Looks like SCP needs gloablly enabling.
Fortinet quotes
“You can use secure copy protocol (SCP) to download the configuration file from the FortiGate unit as an alternative method of backing up the configuration file or an individual VDOM configuration file. This is done by enabling SCP for and administrator account and enabling SSH on a port used by the SCP client application to connect to the FortiGate unit. SCP is enabled using the CLI commands:
config system global
set admin-scp enable
end
Use the same commands to backup a VDOM configuration by first entering the commands:
config global
set admin-scp enable
end
config vdom
edit “