Use Wasabi cloud to backup your FortiGate Firewall configuration for 6.99$/month

Use Wasabi cloud to backup your FortiGate Firewall configuration for 6.99$month

Steps to implement an automated config backup solution for your FortiGate with Wasabi Cloud for 6.99$/month

  1. Create an account on wasabi cloud https://wasabi.com/fr.
  2. Create a bucket and activate the versioning.
  3. Activate the FTP/FTPS protocol in Wasabi
  4. Configure your FortiGate CLI config backup over FTP command
  5. Configure Your automation Trigger
  6. Configure Your automation Action
  7. Configure Your automation Stitch

FortiGate CLI config backup over FTP command

You can connect over FTP/FTPS to your Wasabi S3 Bucket with your account credentials. In paid plan you can create sub-user with FTP/FTPS access.

To connect to your Wasabi S3 Bucket over FTP you need :

  • The region where the bucket is created here is eu-west-2
  • The name of the Bucket, here is backup_fortigate
  • Your username/email & password of your Wasabi account here is fortigate@gitbook.deddy.me

You can connect to your Bucket with a FTP’s client https://winscp.net or https://filezilla-project.org with this configuration :

Build the FortiGate CLI Command

execute backup full-config ftp <bucket_name>/fortigate_01_config [s3.<](http://s3.eu-west-2.wasabisys.com:21/)wasabi_bucket_region>.wasabisys.[com:21](http://s3.eu-west-2.wasabisys.com:21/) <ftp_username/email> <ftp_password>

The complete FortiGate CLI Command

execute backup full-config ftp backup_fortigate/fortigate_01_config [s3.](http://s3.eu-west-2.wasabisys.com:21/)eu-west-2.wasabisys.[com:21](http://s3.eu-west-2.wasabisys.com:21/) fortigate@gitbook.deddy.me superStrongPassword

Wasabi Cloud Active the FTP/FTPS protocol in the settings

Create a Trigger in Security Fabric > Automation > Trigger

Each day the script will be executed.

Create an action in Security Fabric > Automation > Action

Create a Stitch on Security Fabric > Automation > Stitch

How to monitor that Fortigate backups are up to date ?

You can implement a solution that monitors the last modification date of files either via the AWS S3 SDK JS library. See

API REST FortiGate POST system/api-user/generate-key – Resolve the error 403

API-FortiGate-POST-systemapi-usergenerate-key-–-Resolve-the-error-403.jpg

When you try to generate a new API Key for an API-user in FortiGate using the API REST, you may encounter a 403 error

{
    "http_method": "POST",
    "status": "error",
    "http_status": 403,
    "vdom": "root",
    "path": "system",
    "name": "api-user",
    "action": "generate-key",
    "serial": "FGTXXXXXXXXXXXXXX",
    "version": "v7.2.4",
    "build": 1396
}

This error occurs when the user making the API call does not have the necessary permissions. When creating an API user through the Fortigate GUI, you cannot assign the super_admin profile as it is not visible in the select list. The only way to assign this profile is through the CLI.

The problem has been discussed in this forum post: community.fortinet.com/t5/Support-Forum/API-request-of-new-token/m-p/242109#M205093. However, here is a more detailed procedure.

Solution : set the accprofile “super_admin” on the API-user account

How to set the super_admin profile on the API-user via the CLI on FortiGate ?

Connect to the fortigate, open the CLI and run the following commands :

  1. config system api-user

  2. edit "<the_api_rest_user_to_modify>"

  3. set accprofile "super_admin"

  4. end

  5. now you can make API request to generate api-key with that user.

    1. Example request on Fortigate v7.2.4 : POST https:/**/{{ADDRESS}}**/api/v2/monitor/system/api-user/generate-key?api-user=**{{API_REST_ADMIN_USERNAME}}**&vdom=root
  6. If you run show command, you should see something similar to this.

    Example with API-USER "rest_api_admin" :

config system api-user
    edit "rest_api_admin"
        set api-key ENC SH2FG4KXXXXXXXXXXXXXXXXXXXXXXXXX
        set accprofile "super_admin"
        set vdom "root"
    next
end