Skip to content

mcarneir0/fortigate-backup-api

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Fortigate Config Backup Tool

This simple script makes it easy to perform backups of multiple Fortigate firewalls. It reads a list of Fortigates from a CSV file, performs a backup of each one, and saves the backup file to a local directory.

Changelog: 10/12/2024 - updated to utilise authorisation bearer header instead of old method of inserting API key into URL - reference: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-FortiGate-7-4-5-to-Allow-access-token/ta-p/357228 (Thanks to @wintermute000)

Summary

Installation

Requirements

Clone the project

git clone https://github.com/mcarneir0/fortigate-backup-api.git

Go to project folder.

cd fortigate-backup-api

Install dependencies.

pip install -r requirements.txt

Usage

Add the details of each Fortigate to backup in the fortigates.csv file and then you can perform the backup by two ways:

  1. Run the fgt-backup.py file to perform a backup of all Fortigates without user input. Useful for use with cron job or scheduled tasks.
    python fgt-backup.py
  2. Run the manual-backup.py file to display a list with all Fortigates and then select which Fortigates will be backed up.
    python manual-backup.py

Configuration

CSV file format

The fortigates.csv file should have the following format:

name,ip_1,ip_2,token
Fortigate1,192.168.1.1,,xxxxxxxxxxxxxxxxx
Fortigate2,10.0.0.1:9999,myfortigate.fortiddns.com:9999,yyyyyyyyyyyyyyyyy

FQDN addresses can be used too!

Where:

  • name: A name to identify the Fortigate
  • ip_1: Primary IP address of the Fortigate
  • ip_2: Secondary IP address of the Fortigate (optional)
  • token: API key provided by the Fortigate

Notes:

  1. If you are using a custom administrative port (other than 443) you should include with the IP address with <IP>:<PORT> format.
  2. If your Fortigate does not have a secondary IP address, just leave it blank as Fortigate1 example.

SSL certificate warnings

By default, the script verifies the SSL certificate of the Fortigates. If you have self-signed certificates, you may want to disable this feature. To do so, uncomment the following two lines at the beginning of the script:

# requests.packages.urllib3.disable_warnings()
# req.verify = False

Folder structure

The script creates two folders:

  • backups: Contains the backup files.
  • logs: Contains the log files.

The backup files are saved in a subfolder on backups with the current date in the format mm-dd-yyyy.

The log files are saved in the logs folder with the name bkp-<current_date>.log.

Generating the API key

The main reason to use the API key is that you don't need to enter your login credentials anywhere or access the firewall directly.

But to do it so you need to create a REST API Admin with super_admin rights firstly. Follow the steps below.

1. Access the firewall

Login to the firewall GUI with your credentials and make sure you have super_admin rights.

2. Create a temporary Admin Profile

Click on System > Admin Profiles and create a new Admin Profile with no permissions.

Creating admin profile

3. Create a new REST API Admin

Click on System > Administrators and create a new REST API Admin.

Create admin option

Insert a username, commentary (optional), select the administrator profile created, disable PKI Group and CORS.

Creating admin user

Trusted Hosts is optional on FortiOS 7.x but mandatory on 6.x versions.

WARNING!

It is highly recommended that you fill in your IP or network in the Trusted Hosts so that you guarantee that only requests made from these addresses will be accepted, otherwise anyone with access to the API token will have unrestricted access to the firewall.

Click OK and you will be prompted to store the generated API key in a secure location. Keep in mind that this key will not be shown again so if you lose it, you will have to generate another one.

API key

4. Grant super_admin permissions to the user

That's why we created that temporary profile earlier, Fortigate doesn't allow creating super_admin REST API users directly. But this permission is needed to backup other super_admin users you may have on the firewall.

To do this, you need to run the following commands in the CLI Console, click on the option in the upper right corner to open it.

# config system api-user
(api-user) # edit <username>
(<username>) # set accprofile super_admin
(<username>) # set vdom root
(<username>) # next
(api-user) # end 

CLI option

CLI commands

Now close the CLI, delete the temporary user profile and you're good to go.

Environment

Tested with:

  • Windows 11
  • Ubuntu 22.04.2 LTS
  • CentOS 7
  • Python 3.11.2 / 3.11.1 / 3.10.9 / 3.10.6 / 3.6.8
  • FortiOS 6.0.x / 6.2.x / 7.0.x / 7.2.x / 7.4.5 / 7.6.1

References

License

This project is licensed under the GPL-2.0 License - see the LICENSE file for details.