Fortigate VDOM Config Backup

Been running the backup for our two Fortigate firewalls for the past couple of months thinking it was doing a fill back when in actual fact its only backing up the Global config and none of the VDOM configs.

Has anyone managed to get there VDOM's backed up as part of the overall backup job?

Thanks

Jon

  • Hi Jon,

    How do you proceed to backup manually the VDOM configs? Do you need to issue different commands?

    It could require to use the same method described here:

    HTH,

    Yann

  • Hi Yann

    The issues with the Fortigate's is that there is a global config which is downloaded through NCM fine but each VDOM has a separate config. Within the Fortigate's web frontend you can do a download of the config but its useless for looking at.

    You can get a config for each VDOM by going into each VDOM and doing a show full-config.

    Could I do this through a script and have it automatically save the output somewhere as we have multiple VDOM we need the config for so doing as you suggest in the link is not the best solution for us?

    Thanks

    Jon

  • There is a way, By Tftp.

    Just edit the template, add a pre command, and use tftp instead of TELNET/SSH:

    <!--SolarWinds Network Management Tools-->
    <!--Copyright 2007 SolarWinds.Net All rights reserved-->
    <Configuration-Management Device="Fortigate 60" SystemOID=" 1.3.6.1.4.1.12356">
     <Commands>
      <Command Name="RESET" Value="config system console ${CRLF}set output standard ${CRLF}end"/>
      <Command Name="Reboot" Value="execute reboot${CRLF}y${CRLF}"/>
      <Command Name="EnterConfigMode" Value="config"/>
      <Command Name="ExitConfigMode" Value="end"/>
      <Command Name="Startup" Value="full-configuration"/>
      <Command Name="Running" Value=""/>
      <Command Name="DownloadConfig" Value="show ${ConfigType}"/>
      <Command Name="UploadConfig" Value="${ConfigText}${CRLF}${ExitConfigMode}"/>
      <Command Name="DownloadConfigIndirect" Value="execute backup config ${TransferProtocol} ${StorageFilename} ${StorageAddress}${CRLF}${CRLF}${CRLF}"/>
      <Command Name="UploadConfigIndirect" Value="execute restore config tftp ${StorageFilename} ${StorageAddress}${CRLF}${CRLF}"/>
      <Command Name="EraseConfig" Value="execute factoryreset${CRLF}y"/>
      <Command Name="SaveConfig" Value="execute cfg save"/>
      <Command Name="Version" Value="get system status"/>
      <Command Name="PreCommand" Value="config global"/>
     </Commands>
    </Configuration-Management>

  • That worked a treat thanks.

    Yann, do the device templates get reset to default when a new version's installed?

    Thanks

    Jon

  • Jon,

    You can copy the Fortigate template to a diffrent one and edit this.

    You will have 2 fortigate templates - one for multiple VDOm's and one for no VDOM's

  • Jon, as long as you rename when you copy an existing to create your custom ones, they won't be reset during upgrade.

  • Its just great when you go searching a forum for something, find what you're looking for, and the solution works straight away. Well done everyone.

  • Can you Just tell me how did you done this changes . i am new to this tool

  • This was great, thanks.  Side note though - I don't think a CLI backup will include portions of SSL VPN configs.  Your portals and widget configurations don't appear in CLI output.  Something to keep in mind if you use them and do a restore (don't learn it the hard way like I did :)  The SSL config is included in a GUI backup.

  • The indirect backup (the "execute backup config" command) creates a comprehensive zip file, same as the GUI.  

    Also like the GUI backup, if you want to backup any passwords or VPN keys you need to modify the command to add an encryption password. 

    The tradeoff of this is you lose any change alerts you may have had.   But you have a backup that will bring you right back from a blank box.