Home

FortiGate SFTP Configuration Backup: Complete Implementation Guide for Automated, Secure Network Resilience

.

FortiGate firewalls running FortiOS 7.0.1 and later support secure configuration backups to SFTP servers—a critical capability for network resilience, compliance, and disaster recovery. This comprehensive guide synthesizes field-proven implementation strategies, automation techniques, and troubleshooting protocols from Fortinet community experts, enterprise deployments, and security practitioners to deliver a production-ready backup solution that balances security, reliability, and operational efficiency.

Understanding FortiGate SFTP Backup Capabilities

Evolution of Backup Protocols in FortiOS

FortiGate devices support three primary backup protocols with distinct security and reliability profiles:

Protocol Security Level Reliability Recommended Use Case
TFTP Unsecured Unreliable Legacy environments only
FTP Unsecured Reliable Non-compliant environments
SFTP Encrypted (SSH) Highly reliable Production environments

SFTP backup functionality became natively available in FortiOS 7.0.1, operating over SSH tunnels (TCP port 22 by default) without requiring additional protocol configurations beyond standard SSH user setup on the destination server.

Core Command Syntax and Critical Requirements

The fundamental CLI command structure for SFTP backups requires precise syntax adherence:

execute backup [full-config|config] sftp </full/directory/path/filename> <SFTP_server>[:<port>] <username> <password>

Critical implementation requirements:

  1. Full directory path mandatory: Unlike FTP, SFTP requires absolute paths starting with / (e.g., /backup/configs/fw1.conf). Relative paths or omitted paths cause silent failures.

  2. Default port 22: Explicit port specification only needed for non-standard configurations (e.g., 10.10.10.1:2222).

  3. Dynamic filename variables:

    • %%date%%2024-02-15
    • %%time%%14:30:22
    • %%log.devname%% → Device hostname
    • %%log.devid%% → Serial number
    • Combined example: backup-%%date%%-%%time%%_%%log.devname%%.conf

  4. Credential storage limitation: Passwords are stored in plaintext within FortiGate configuration files—a critical security consideration requiring compensating controls.

Implementation Pathways: Three Production-Ready Approaches

Approach 1: Scheduled Daily Backups via Automation Stitch (Recommended)

This method provides predictable, time-based backups ideal for compliance requirements:

# Step 1: Create scheduled trigger (runs daily at 02:00 AM) config system automation-trigger     edit "DailyBackupTrigger"         set trigger-type scheduled         set trigger-hour 2         set trigger-minute 0     next end  # Step 2: Define CLI backup action with timestamped filenames config system automation-action     edit "SFTPBackupAction"         set action-type cli-script         set script "execute backup full-config sftp \"/fortigate/backups/fw1-%%date%%-%%time%%.conf\" 10.10.10.13 sftpuser S3cureP@ssw0rd"         set accprofile "super_admin"     next end  # Step 3: Stitch trigger to action config system automation-stitch     edit "DailyConfigBackup"         set trigger "DailyBackupTrigger"         config actions             edit 1                 set action "SFTPBackupAction"                 set required enable             next         end     next end

Key considerations:

  • Escape quotes properly using backslashes (\") when paths contain spaces
  • Use forward slashes (/) for directory paths even on Windows SFTP servers
  • Domain usernames require double backslashes: \"DOMAIN\\\\username\"

Approach 2: Configuration Change-Triggered Backups

For environments requiring immediate backup after administrative changes:

# Trigger on configuration modification events (log IDs 44546/44547) config system automation-trigger     edit "ConfigChangeDetected"         set event-type event-log         set logid 44546 44547     next end  # Action using nanosecond-precision timestamps config system automation-action     edit "ExecuteConfigBackup"         set action-type cli-script         set script "execute backup config sftp \"/backups/backup_%%log.eventtime%%.conf\" 10.10.10.13 sftpuser S3cureP@ssw0rd"         set accprofile "super_admin"     next end

This approach captures every configuration modification with millisecond precision, creating an audit trail of all changes.

Approach 3: FortiManager/FortiAnalyzer Centralized Backups

For multi-device environments managed through FortiManager:

# FortiManager daily backup at 06:00 AM to SFTP directory "FMG" config system backup all-settings     set status enable     set server "10.10.21.14"     set protocol sftp     set user "svc_sftp_backups"     set directory "FMG"     set time "06:00:00"     set passwd "UseASecurePassword!"     set week_days monday tuesday wednesday thursday friday saturday sunday end

FortiManager's native backup scheduler eliminates per-device automation configuration while maintaining centralized credential management.

Critical Troubleshooting Protocol

Common Failure Scenarios and Resolution Steps

Symptom Root Cause Resolution
Send config file to sftp server via vdom root failed. Return code -1 Missing full directory path Specify absolute path: /share/CACHEDEV1_DATA/backups/fw.conf instead of backups/fw.conf
Connection timeout Routing/firewall blocking 1. Test connectivity: execute telnet <SFTP_IP> 22
2. Verify route: get router info routing-table details <SFTP_IP>
3. Packet capture: diagnose sniffer packet any 'host <IP> and port 22' 4 0 l
Authentication failure Incorrect credentials or permissions Verify:
1. Username/password accuracy
2. SFTP user has rwx permissions on target directory
3. For Azure: username format = storageaccount.sftpusername
Automation stitch failure (CLI works) Asymmetric routing Create specific static route to SFTP server to ensure consistent path

Permission Requirements on SFTP Server

SFTP users require explicit write permissions on target directories. Two successful permission models:

  1. User ownership: User owns directory with rwx permissions (e.g., /home/sftpuser owned by sftpuser)
  2. Group membership: User added to group with directory write access (e.g., user in root group with /backup group permissions rwx)

Security Hardening Recommendations

Credential Protection Strategies

Despite FortiOS limitations storing passwords in plaintext, implement these compensating controls:

  1. Dedicated service accounts: Create SFTP users with minimal privileges—disable delete/overwrite permissions where possible

  2. Network segmentation: Restrict SFTP server access to FortiGate management interfaces only via firewall rules

  3. Credential rotation: Implement automated credential rotation using external secret management (e.g., Azure Key Vault with PowerShell rotation scripts)

  4. Audit logging: Enable FortiGate event logging for backup operations (operation="system backup") to detect unauthorized access attempts

Backup Retention Management

Prevent storage exhaustion through automated retention policies:

  • Azure environments: PowerShell script running every 8 hours deleting files >7 days old
  • Linux SFTP servers: find /backup -type f -mtime +7 -delete via cron
  • Windows SFTP servers: PowerShell scheduled task with Get-ChildItem | Where-Object {$_.LastWriteTime -lt (Get-Date).AddDays(-7)} | Remove-Item

Best Practices Checklist

Path specification: Always use absolute paths starting with /
Timestamping: Implement %%date%%/%%time%% variables to prevent overwrites
Testing protocol: Validate connectivity via telnet before automation deployment
Permission validation: Confirm SFTP user has write access to target directory
Route verification: Ensure symmetric routing between FortiGate and SFTP server
Credential isolation: Use dedicated service accounts with least privilege
Retention policy: Implement automated deletion of backups older than retention period
Monitoring: Configure alerts for backup failure events via FortiGate logging

Frequently Asked Questions (FAQ)

What FortiOS version is required for SFTP backups?

SFTP configuration backup functionality requires FortiOS 7.0.1 or later. Earlier versions support only FTP and TFTP protocols.

Why does my SFTP backup fail when FTP works with the same path?

SFTP strictly requires absolute directory paths (e.g., /backups/fw.conf), while FTP accepts relative paths. This is a protocol-level requirement—not a FortiGate limitation.

Can I store SFTP passwords securely without plaintext exposure?

No native FortiOS mechanism exists to encrypt SFTP passwords within automation scripts. Mitigate risk through network segmentation, dedicated service accounts, and external secret management systems with rotation capabilities.

How do I include the device hostname in backup filenames?

Use the %%log.devname%% variable in your filename specification:
backup-%%date%%-%%log.devname%%.confbackup-2024-02-15-FW-Primary.conf

What's the difference between backup config and backup full-config?

  • backup config: Saves running configuration only
  • backup full-config: Includes additional system state information (recommended for complete disaster recovery)

Can I trigger backups when administrators log in?

Yes—create an automation trigger monitoring event log ID 44548 (admin login events) and link to your SFTP backup action.

Why does my automation stitch fail when the same CLI command works manually?

Common causes include asymmetric routing (traffic takes different paths outbound/inbound) or insufficient permissions in non-default VDOMs. Create a specific static route to the SFTP server and verify VDOM context.

How do I troubleshoot SFTP connectivity issues?

Follow this diagnostic sequence:

  1. Test basic connectivity: execute telnet <SFTP_IP> 22
  2. Verify routing table: get router info routing-table details <SFTP_IP>
  3. Capture packets: diagnose sniffer packet any 'host <IP> and port 22' 4 0 l
  4. Check SFTP server logs for authentication attempts

Can FortiManager schedule backups for managed FortiGates?

FortiManager schedules backups of its own configuration to SFTP servers—not individual FortiGate devices. For device-level backups, use FortiGate automation stitches or FortiManager scripts pushing CLI commands to devices.

What SFTP server software is recommended?

Enterprise-tested options include:

  • SolarWinds SFTP Server (Windows environments)
  • OpenSSH (Linux/BSD environments)
  • Azure Blob Storage with SFTP namespace (cloud environments). All require proper user permission configuration and firewall rule allowances.

Conclusion: Building Resilient Network Operations

FortiGate SFTP configuration backups represent a foundational element of network resilience strategy. By implementing scheduled or change-triggered automation with proper path specification, credential management, and retention policies, organizations achieve three critical outcomes: accelerated disaster recovery, regulatory compliance documentation, and operational confidence during high-risk configuration changes.

The convergence of FortiOS automation capabilities with secure SFTP transport creates a production-ready solution—but success demands meticulous attention to path syntax, permission models, and security compensating controls. Organizations that implement the protocols outlined in this guide transform configuration backup from a manual, error-prone task into an automated, auditable component of their security operations framework.

Implementation note: Always test backup procedures in non-production environments before deploying to critical infrastructure. Validate restore procedures quarterly to ensure backup integrity.