Home

The Complete Guide to FortiGate Firewall Backup: CLI Methods, Automation, and Best Practices

.

In network security, configuration backups are not merely a routine task—they are a vital insurance policy. For administrators managing FortiGate firewalls, a complete and current backup can mean the difference between a swift recovery from hardware failure and a prolonged network outage. While many are familiar with the Graphical User Interface (GUI) backup options, the Command Line Interface (CLI) offers superior power, flexibility, and automation potential for enterprise-grade operations.

This guide consolidates official documentation and real-world community expertise to provide a comprehensive manual for backing up your FortiGate firewall using the CLI. We'll explore fundamental commands, advanced automated strategies, and critical best practices to ensure your network's configuration is always secure and recoverable.

1. Core CLI Backup Commands and Syntax

The FortiOS CLI provides a robust set of commands for backing up configuration files to various destinations. The syntax is precise, and understanding the parameters is key to success.

1.1 Backup to an FTP Server

The FTP method is a traditional and widely supported option for network backups.

  • Basic Command:
    execute backup config ftp <filename> <ftp_server>[:port] <username> <password>
  • Example & Output:
    FGT # execute backup config ftp FGT_Backup_Jan28.conf 10.10.10.10:21 admin P@ssw0rd2024 Connect to ftp server 10.10.10.10:21 … Please wait… Send config file to ftp server OK.
  • Critical Notes:
    • Port Specification: The port (e.g., :21) is optional. If omitted, the default FTP port is used.
    • Special Characters: If your password contains special characters (like @, !, %), enclose it in quotes (e.g., "P@ssw0rd") to prevent the CLI from misinterpreting them. This is a common source of failed connections.
    • Encryption: To encrypt the backup file itself with a password, append an additional config-password to the end of the command.

1.2 Backup to Other Destinations (TFTP, SFTP, USB)

The CLI allows for backups to multiple protocols, fitting different network environments.

Destination Command Syntax Use Case
TFTP Server execute backup config tftp <filename> <server_ip> [<backup_password>] Simple, UDP-based transfers in low-security internal networks.
SFTP Server execute backup config sftp <filename> <server:port> <user> <password> [<backup_password>] Secure, encrypted file transfer (recommended over FTP).
USB Drive execute backup config usb <filename> [<backup_password>] Physical, offline backup. Requires a USB drive inserted into the FortiGate.
Management Station execute backup config management-station <comment> Backs up directly to a paired FortiManager or FortiGate Cloud.

Important: Administrative privileges are required to perform backups. In the GUI, an admin profile needs Read/Write access to System settings. In the CLI, the Configuration permission within a custom admin profile controls this ability.

2. GUI Backup: A Quick Alternative

For ad-hoc, single backups, the GUI provides a straightforward method. Navigate to System > Settings in the old interface or click on the username in the top-right corner > Configuration > Backup in the new interface.

Key GUI Features:

  • Scope Selection: Choose between Global (entire device) or a specific VDOM in multi-VDOM mode.
  • Encryption: Strongly recommended. Encrypts the .conf file with a password using AES-GCM.
  • Password Masking: When sharing a config for support, this feature replaces all passwords with "FortinetPasswordMask" to prevent credential leakage.
  • File Format: Modern FortiOS versions allow backup in classic FortiOS format or structured YAML format.

3. Automating Backups for Operational Excellence

Manual backups are prone to human error. Automation ensures consistent, timely, and reliable configuration archives.

3.1 Using CLI Scripts and the Auto-Script Feature

FortiGate allows you to schedule CLI scripts to run automatically.

  • Create an Auto-Script: This example creates a script that runs daily to back up to an SFTP server.
    config system auto-script     edit "Daily_SFTP_Backup"     set interval 1440  # Minutes in a day     set repeat 0       # 0 means use the interval, not a fixed schedule     set start auto     set script '''     execute backup full-config sftp "FGT_Backup_%%log.date%%_%%log.time%%.conf" 192.168.1.100:22 sftp_user "sftp_password" "encryption_password"     ''' next end
  • Community Wisdom from Spiceworks: A user in the Spiceworks community forum solved their automation issue by removing the # comment symbol from the beginning of the command inside the script tag. Scripts must contain plain, executable CLI commands.

3.2 Advanced Automation with Variables

For dynamic filenames that include timestamps, use FortiGate system variables:

  • %%log.date%%: Inserts the current date (e.g., 2026-01-28).
  • %%log.time%%: Inserts the current time (e.g., 163045).

This creates unique, timestamped filenames like FGT_Backup_2026-01-28_163045.conf, preventing overwrites and providing a clear audit trail.

4. Restoration: The Ultimate Test of Your Backup

A backup is only as good as your ability to restore it. The restoration command mirrors the backup command.

  • Restore from FTP:
    execute restore config ftp FGT_Backup_Jan28.conf 10.10.10.10:21 admin P@ssw0rd2024
  • Process: The FortiGate will load the configuration and restart. After the restart, always verify that the configuration and services are operating as expected.
  • Important Note: When restoring a configuration file that used password masking, all masked fields will retain the "FortinetPasswordMask" value, requiring you to manually re-enter those passwords. Restoring such a file is not recommended for production recovery.

5. Pro Tips and Security Best Practices

  1. Encrypt Every Backup: Always use the config-password option in the CLI or enable encryption in the GUI. This protects your configuration file if the storage medium is compromised.
  2. Use SFTP Over FTP: FTP transmits data (including passwords) in clear text. SFTP provides encryption and is the secure choice for network transfers.
  3. Test Restoration Regularly: Periodically perform a restoration in a lab environment to validate your backup process and file integrity.
  4. Follow the 3-2-1 Rule: Keep 3 copies of your backup, on 2 different media, with 1 copy stored off-site (e.g., a remote SFTP server).
  5. Document the Process: Keep a record of your backup commands, passwords (stored securely in a password manager), and restoration steps as part of your network runbook.

Frequently Asked Questions (FAQ)

Q1: I ran the FTP backup command but got "Send config file to FTP server via VDOM root failed." What should I do? A: This is typically a connectivity or credential issue.

  • Triple-check the FTP server IP, port, username, and password.
  • Enclose passwords in quotes if they contain special characters.
  • Verify network connectivity from the FortiGate to the FTP server (using execute ping).
  • Check the FTP server's logs for connection attempts and permission errors.

Q2: What's the difference between backup config and backup full-config? A: The backup config command backs up only the administrator-modified settings. The backup full-config command includes both modified settings and a large set of factory-default settings, which can be useful for a more complete restoration context or for documentation.

Q3: My automated script isn't working, even though it runs fine manually. Why? A: This is a common hurdle. Debug by:

  1. Ensuring there are no typos or syntax errors (like stray # symbols) in the script body.
  2. Confirming your FortiOS version supports the auto-script feature (v6.0 and above). Older firmware may use different methods.
  3. Checking the script's permissions and ensuring the administrator profile executing it has sufficient rights.

Q4: Can I back up a single VDOM in multi-VDOM mode? A: Yes. First, enter the VDOM context in the CLI:

config vdom edit <vdom_name>

Then, run any standard backup command (like execute backup config usb ...). The resulting file will contain only the configuration for that specific VDOM.

Q5: Is the CLI backup method being phased out in favor of the GUI? A: No. While the GUI is user-friendly for basic tasks, the CLI remains the power tool for administrators. It is essential for automation, scripting, integration with external systems, and performing backups in environments where GUI access is restricted or not available. Both methods are fully supported and documented by Fortinet.