banner

BLOG

Build a Backup Solution for your FortiGate.

Background

I was recently in charge of designing and deploying FortiGate devices in an SD-WAN multi-site environment.

After completing the deployment, the operations area asked me for a solution to maintain daily backups of the FortiGates configuration in a central repository.  The solution must have the ability to maintain a retention of the backups for seven (7) calendar days.

In my analysis, I found that FortiOS can save FortiGate’s configuration backup file on a scheduled basis to an SFTP server.  However, it is necessary to complement the solution with external automation to delete files older than seven (7) days.

Solution

The solution we developed has four (4) main components:

  1. Azure Storage Account is used to store the backup files.
  2. Azure Automation Account to execute a script that deletes old backup files on a scheduled basis.
  3. Azure Key Vault to securely store the SFTP credentials.
  4. FortiOS

Azure Storage Account

The Azure Storage Account provides two important functionalities in this solution: SFTP Server and Data Storage.  To support SFTP on Azure Blob Storage, a standard general-purpose v2 or premium block blob storage account must be deployed.

Selecting the “Enable hierarchical namespace” and “Enable SFTP” options is important while deploying this service.

Azure Storage Account

Remember to set the Storage Blob Data Contributor role for your Azure account.

After the Storage Account is deployed, go to Settings / SFTP in your left menu.  Then, add a Local User using SSH Password.  When adding the username, you can create a new container (folder) or select an existing one.  After you have created the SFTP account, write down the password; you will need it in your Key Vault and the FortiGate script.

Azure Automation Account

Azure Automation allows you to use runbooks to automate the execution of a PowerShell script that will connect to the SFTP Server and delete files older than seven (7) days.

Once the Automation Account is deployed, it is important to enable the system identity that will then be used to access the Key Vault to obtain the SFTP Server credentials.

To enable identity in the Automation Account, go to Account Settings / Identity / System assigned and enable the status option.

Azure Automation Account

The PowerShell script to be used requires a specific module.  To add the module option in your runtime environment of the automation account and add the module Posh-SSH

Once enabled in the left menu, select Shared Resources / Variables and create the RetentionDays variable with an integer value.  In my case, I use 7.  This is the maximum number of dates for backup files.

Then, in the left menu, select Process Automation / Runbooks and create a new Runbook.  In my case, the runbook type I selected was PowerShell and the Runtime Environment PowerShell-7.2.

Once the Runbook is created, open it and select Edit / Edit in the portal from the top menu.  In the editor paste the following script:


##############################################################
#   DeleteOldBackupFiles

#   Description:    This script was developed to connect a SFTP Server

#                   and delete old files based on $daysOld variable

#   Author: Javier Morales (javopr@gmail.com)

#   version 1.1.0

#   changes:

#   1.1.0 - Initial version
##############################################################

# Connect to Azure using System Identity
Write-Output “Connecting to azure”
Connect-AzAccount -Identity
Write-Output “Successfully connected with Automation account’s Managed Identity”


# Define Variables

Write-Output “Reading and configuring variables”
$current = Get-Date
$mysftpserver = Get-AzKeyVaultSecret -VaultName “kv-forti-prd-eu” -Name “SFTPServer” -AsPlainText
$sftpUsername = Get-AzKeyVaultSecret -VaultName “kv-forti-prd-eu” -Name “sftpUsername” -AsPlainText
$sftpPassword = Get-AzKeyVaultSecret -VaultName “kv-forti-prd-eu” -Name “sftpPassword” -AsPlainText
$SSHServerCred = Get-AutomationPSCredential -Name “SSH”
$daysOld = Get-AutomationVariable -Name ‘RetentionDays’
Write-Output “Variables set”


# Connect to the SFTP and save the session into a variable

Write-Output “Connecting to SFTP”
#$session = New-SFTPSession -computername $mysftpserver -Credential $SSHServerCred -Force
$session = New-SFTPSession -ComputerName $mysftpserver -Credential (New-Object System.Management.Automation.PSCredential($sftpUsername, (ConvertTo-SecureString $sftpPassword -AsPlainText -Force))) -AcceptKey -Force


# get all files in SFTP home directory

Write-Output “Getting the files list”
$files = Get-SFTPChildItem -SFTPSession $session -File


# For each file

ForEach ($f in $files)
{
# Set Variables using File metadata
$filename = $f.FullName
$LastWriteTime = $f.LastWriteTime
$LastWriteTime = Get-Date($LastWriteTime)
$fileSpace = $f.Length
$DateDiff = New-TimeSpan -Start $LastWriteTime -End $current


# Display file information

$message= “File Name: $filename”
Write-Output $message
$message = “File Space: $fileSpace”
Write-Output $message
$message= “File Date/Time: $LastWriteTime”
Write-Output $message
$message = “Time Difference: ” + $DateDiff
Write-Output $message
$message = “Days of Difference: $($DateDiff.Days)”
Write-Output $message


# Search for files older than $daysOld days

if ($DateDiff.Days -gt $daysOld) {
$message = “Deleting File $filename”
Write-Output $message
Remove-SFTPItem -SFTPSession $session -Path $filename -Force
$message = “File $filename deleted”
Write-Output $message
}
Write-Output “—————————————”
}

After copying the code into the editor, click Save and then Publish.

Finally, to make the code run recurrently, select Resources / Schedules in the left menu.  Then Add a schedule.  In my case, the schedule runs every 8 hours.

Azure Key Vault

There are several ways to store the SFTP Server credentials so that they can be used in the automation script.  The simplest way is to store the credentials inside the Automation Account itself, in the Shared Resources / Credentials section.  The problem with saving the credentials in the Storage Account is that any user with contributor access in Azure will have access to them.  The safest way is to store them in an Azure Key Vault.

code

Create the following secrets in the Azure Key Vault

Secret Name Secret Value
SFTPServer <SFTP IP or Hostname>
sftpUsername * <Storage_Acount_Name>.<SFTP Username>
sftpPassword <SFTP Password>

* The username to be used in the SFTP connection must be a concatenation of the storage account name, a dot sign “.” and the SFTP username created in the storage account.

FortiGate

FortiGate can send a recurring backup file to an SFTP.  The configuration depends on the FortiOS version.  This script works in version 7.4.2.

# Backup will be executed at 2:30 PM
config system automation-trigger
edit “backup”
set trigger-type scheduled
set trigger-hour 14
set trigger-minute 30
next
end
#
# remember, sftp_username has to be concatenated
# from the storage account name, a dot “.”, and the sftp username configured
# example: storageaccount.sftpusername
config system automation-action
edit “backup”
set action-type cli-script
set script “execute backup full-config sftp /bk-%%date%%-%%time%%_%%log.devname%%-%%log.devid%%.conf . ”
set accprofile “super_admin”
next
end
config system automation-stitch
edit “backup”
set trigger “backup”
config actions
edit 1
set action “backup”
set required enable
next
end
next
end

Conclusion

This guide provides a solution for backing up and managing the configuration files of FortiGate devices on Azure.  The solution involves using an Azure Storage Account, an Automation Account, and a Key Vault.  The solution enables the FortiGate devices to securely upload their configuration files to an SFTP server hosted on the storage account.  The automation account runs a script that deletes the old configuration files from the SFTP server and keeps only the latest seven versions. The key vault stores the connection information and credentials for the SFTP server and the automation account.  The solution is scalable, cost-effective, and easy to deploy.

I hope this solution has been helpful.  Feel free to contact us if you have any questions.  Thanks!

June 27, 2024

images
Javier Morales - Cloud Solutions Architect

A seasoned Cloud Solutions Architect at Intwo, excels in crafting scalable cloud solutions that enhance business agility. His expertise in Azure AI transforms complex challenges into streamlined, future-ready solutions.

GET IN TOUCH!

Let's get in touch and tackle your business challenges together.

images

We are Azure Expert MSP and Microsoft Solutions Partner.

images

Rest assured. We've got you.