This simple script makes it easy to perform backups of multiple Fortigate firewalls. It reads a list of Fortigates from a CSV file, performs a backup of each one, and saves the backup file to a local directory.
Changelog: 10/12/2024 - updated to utilise authorisation bearer header instead of old method of inserting API key into URL - reference: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-FortiGate-7-4-5-to-Allow-access-token/ta-p/357228 (Thanks to @wintermute000)
- Python 3.6 or newer
- Requests module
Clone the project
git clone https://github.com/mcarneir0/fortigate-backup-api.git
Go to project folder.
cd fortigate-backup-api
Install dependencies.
pip install -r requirements.txt
Add the details of each Fortigate to backup in the fortigates.csv
file and then you can perform the backup by two ways:
- Run the
fgt-backup.py
file to perform a backup of all Fortigates without user input. Useful for use with cron job or scheduled tasks.python fgt-backup.py
- Run the
manual-backup.py
file to display a list with all Fortigates and then select which Fortigates will be backed up.python manual-backup.py
The fortigates.csv
file should have the following format:
name,ip_1,ip_2,token
Fortigate1,192.168.1.1,,xxxxxxxxxxxxxxxxx
Fortigate2,10.0.0.1:9999,myfortigate.fortiddns.com:9999,yyyyyyyyyyyyyyyyy
FQDN addresses can be used too!
Where:
name
: A name to identify the Fortigateip_1
: Primary IP address of the Fortigateip_2
: Secondary IP address of the Fortigate (optional)token
: API key provided by the Fortigate
- If you are using a custom administrative port (other than 443) you should include with the IP address with
<IP>:<PORT>
format. - If your Fortigate does not have a secondary IP address, just leave it blank as
Fortigate1
example.
By default, the script verifies the SSL certificate of the Fortigates. If you have self-signed certificates, you may want to disable this feature. To do so, uncomment the following two lines at the beginning of the script:
# requests.packages.urllib3.disable_warnings()
# req.verify = False
The script creates two folders:
backups
: Contains the backup files.logs
: Contains the log files.
The backup files are saved in a subfolder on backups
with the current date in the format mm-dd-yyyy.
The log files are saved in the logs
folder with the name bkp-<current_date>.log
.
The main reason to use the API key is that you don't need to enter your login credentials anywhere or access the firewall directly.
But to do it so you need to create a REST API Admin with super_admin rights firstly. Follow the steps below.
Login to the firewall GUI with your credentials and make sure you have super_admin rights.
Click on System > Admin Profiles and create a new Admin Profile with no permissions.
Click on System > Administrators and create a new REST API Admin.
Insert a username, commentary (optional), select the administrator profile created, disable PKI Group and CORS.
Trusted Hosts is optional on FortiOS 7.x but mandatory on 6.x versions.
It is highly recommended that you fill in your IP or network in the Trusted Hosts so that you guarantee that only requests made from these addresses will be accepted, otherwise anyone with access to the API token will have unrestricted access to the firewall.
Click OK and you will be prompted to store the generated API key in a secure location. Keep in mind that this key will not be shown again so if you lose it, you will have to generate another one.
That's why we created that temporary profile earlier, Fortigate doesn't allow creating super_admin REST API users directly. But this permission is needed to backup other super_admin users you may have on the firewall.
To do this, you need to run the following commands in the CLI Console, click on the option in the upper right corner to open it.
# config system api-user
(api-user) # edit <username>
(<username>) # set accprofile super_admin
(<username>) # set vdom root
(<username>) # next
(api-user) # end
Now close the CLI, delete the temporary user profile and you're good to go.
Tested with:
- Windows 11
- Ubuntu 22.04.2 LTS
- CentOS 7
- Python 3.11.2 / 3.11.1 / 3.10.9 / 3.10.6 / 3.6.8
- FortiOS 6.0.x / 6.2.x / 7.0.x / 7.2.x / 7.4.5 / 7.6.1
- FortiGate REST API Token Authentication
- Technical Tip: Get backup config file on FortiGate using RestAPI via Python script
This project is licensed under the GPL-2.0 License - see the LICENSE file for details.