Performing a Configuration Backup – FortiOS 5.2 Best Practices

Performing a configuration backup

Once you configure the FortiGate unit and it is working correctly, it is extremely important that you backup the configuration. In some cases, you may need to reset the FortiGate unit to factory defaults or perform a TFTP upload of the firmware, which will erase the existing configuration. In these instances, the configuration on the device will have to be recreated, unless a backup can be used to restore it.

It is also recommended that once any further changes are made that you backup the configuration immediately, to ensure you have the most current configuration available. Also, ensure you backup the configuration before upgrading the FortiGate unit’s firmware. Should anything happen during the upgrade that changes the configuration, you can easily restore the saved configuration.

Always backup the configuration and store it on the management computer or off-site. You have the option to save the configuration file to various locations including the local PC, USB key, FTP and TFTP site.The latter two are configurable through the CLI only.

If you have VDOMs, you can back up the configuration of the entire FortiGate unit or only a specific VDOM. Note that if you are using FortiManager or FortiCloud, full backups are performed and the option to backup individual VDOMs will not appear.

To back up the FortiGate configuration – web-based manager:

1. Go to System > Dashboard > Status.

2. On the System Information widget, select Backup next to System Configuration.

3. Select to backup to your Local PC or to a USB Disk. The USB Disk option will be grayed out if no USB drive is inserted in the USB port. You can also backup to the FortiManager using the CLI.

4. If VDOMs are enabled, select to backup the entire FortiGate configuration (Full Config) or only a specific VDOM configuration (VDOM Config).

5. If backing up a VDOM configuration, select the VDOM name from the list.

6. Select Encrypt configuration file. Encryption must be enabled on the backup file to back up VPN certificates.

7. Enter a password and enter it again to confirm it. You will need this password to restore the file.

8. Select Backup.

9. The web browser will prompt you for a location to save the configuration file. The configuration file will have a .conf extension.

To back up the FortiGate configuration – CLI:

execute backup config management-station

… or …

execute backup config usb Backup_filename [Backup Password]

… or for FTP (note that port number, username are optional depending on the FTP site)…

execute backup config ftp backup_filename ftp_server port user_name password

… or for TFTP …

execute backup config tftp backup_filename tftp_servers password

Use the same commands to backup a VDOM configuration by first entering the commands:

config vdom edit

Backing up a configuration file using SCP

You can use secure copy protocol (SCP) to download the configuration file from the FortiGate unit as an alternative method of backing up the configuration file or an individual VDOM configuration file. This is done by enabling SCP for and administrator account and enabling SSH on a port used by the SCP client application to connect to the FortiGate unit. SCP is enabled using the CLI commands:

config system global
set admin-scp enable

Use the same commands to backup a VDOM configuration by first entering the commands:

config global
set admin-scp enable
config vdom
edit [vdom name]

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in FortiOS, FortiOS 5.2 Best Practices on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

2 thoughts on “Performing a Configuration Backup – FortiOS 5.2 Best Practices

  1. Zoltan

    Hi FortiNetGuru!

    Is it possible to UPLOAD the configuration file via SCP?
    (To be clear: I want to download the configuration from FG1 every night via SCP and upload it to FGT2 via SCP.)

    Kind regards,


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.