Firewall configuration backups can save hours of reconfiguration when one of your firewalls goes nuked due to any reason whatsoever.
While fortigates have a backup button, that gets boring and repetitive soon when you reach 10 fortigates to backup daily.
I put up this following backup utility using windows batch programming and of course credit goes to all those blogs and posts I referred. This uses secure copy which must be enabled on the device.
Here is the batch code along with the .txt file you can download. Once you download the .txt just rename it to .bat for it to work.
Download The Bat File@echo off
for /f " eol=# tokens=1-4 delims=," %%i in (fgts.txt) do CALL :oneaddr %%i %%j %%k %%l
echo end
goto :EOF
:oneaddr
cd c:\Program Files\PuTTY
pscp -pw %3 %2@%1:sys_config C:\backup\%4-%DATE%-%TIME::=%.conf
What I have highlighted in red is another .txt file which is to be fed as input to the .bat code above and both should be in the same directory.
The folder where the config files will be downloaded should already exist. And the file will be downloaded with the .conf extension there.
Also highlighted is the location where your putty is installed should match with the one in the batch file (and yes putty can be installed).
What this input file contains is the IP address, admin name, admin password and device name.
The format must be: (Keep adding more on each line.)
x.x.x.x,username,password,devicename
y.y.y.y,username2,password2,devicename2
z.z.z.z,username3,password3,devicename3
The interface of the IP you’re providing should have SSH enabled.
Once you have everything ready just put both the bat and input txt file in a folder.
Now the last thing you need is to enable admin-scp on your foritgate device. The CLI way to do it is:
config system global
set admin-scp enable
end
And now you just have to doubleclick the .bat file and you will see all your fortigates being backed up one by one with a name-date-time stamp.
I can hear your worries about storing passwords to firewalls in txt. You can minimize the risk by configuring read_only admin accounts on the firewalls or else just take of the that input .txt file.