After completing the deployment, the operations area asked me for a solution to maintain daily backups of the FortiGates configuration in a central repository. The solution must have the ability to maintain a retention of the backups for seven (7) calendar days.
In my analysis, I found that FortiOS can save FortiGate’s configuration backup file on a scheduled basis to an SFTP server. However, it is necessary to complement the solution with external automation to delete files older than seven (7) days.
The solution we developed has four (4) main components:
The Azure Storage Account provides two important functionalities in this solution: SFTP Server and Data Storage. To support SFTP on Azure Blob Storage, a standard general-purpose v2 or premium block blob storage account must be deployed.
Selecting the “Enable hierarchical namespace” and “Enable SFTP” options is important while deploying this service.
Remember to set the Storage Blob Data Contributor role for your Azure account.
After the Storage Account is deployed, go to Settings / SFTP in your left menu. Then, add a Local User using SSH Password. When adding the username, you can create a new container (folder) or select an existing one. After you have created the SFTP account, write down the password; you will need it in your Key Vault and the FortiGate script.
Azure Automation allows you to use runbooks to automate the execution of a PowerShell script that will connect to the SFTP Server and delete files older than seven (7) days.
Once the Automation Account is deployed, it is important to enable the system identity that will then be used to access the Key Vault to obtain the SFTP Server credentials.
To enable identity in the Automation Account, go to Account Settings / Identity / System assigned and enable the status option.
The PowerShell script to be used requires a specific module. To add the module option in your runtime environment of the automation account and add the module Posh-SSH
Once enabled in the left menu, select Shared Resources / Variables and create the RetentionDays variable with an integer value. In my case, I use 7. This is the maximum number of dates for backup files.
Then, in the left menu, select Process Automation / Runbooks and create a new Runbook. In my case, the runbook type I selected was PowerShell and the Runtime Environment PowerShell-7.2.
Once the Runbook is created, open it and select Edit / Edit in the portal from the top menu. In the editor paste the following script:
##############################################################
# DeleteOldBackupFiles
# Description: This script was developed to connect a SFTP Server
# and delete old files based on $daysOld variable
# Author: Javier Morales (javopr@gmail.com)
# version 1.1.0
# changes:
# 1.1.0 - Initial version
##############################################################
# Connect to Azure using System Identity
Write-Output “Connecting to azure”
Connect-AzAccount -Identity
Write-Output “Successfully connected with Automation account’s Managed Identity”
# Define Variables
Write-Output “Reading and configuring variables”
$current = Get-Date
$mysftpserver = Get-AzKeyVaultSecret -VaultName “kv-forti-prd-eu” -Name “SFTPServer” -AsPlainText
$sftpUsername = Get-AzKeyVaultSecret -VaultName “kv-forti-prd-eu” -Name “sftpUsername” -AsPlainText
$sftpPassword = Get-AzKeyVaultSecret -VaultName “kv-forti-prd-eu” -Name “sftpPassword” -AsPlainText
$SSHServerCred = Get-AutomationPSCredential -Name “SSH”
$daysOld = Get-AutomationVariable -Name ‘RetentionDays’
Write-Output “Variables set”
# Connect to the SFTP and save the session into a variable
Write-Output “Connecting to SFTP”
#$session = New-SFTPSession -computername $mysftpserver -Credential $SSHServerCred -Force
$session = New-SFTPSession -ComputerName $mysftpserver -Credential (New-Object System.Management.Automation.PSCredential($sftpUsername, (ConvertTo-SecureString $sftpPassword -AsPlainText -Force))) -AcceptKey -Force
# get all files in SFTP home directory
Write-Output “Getting the files list”
$files = Get-SFTPChildItem -SFTPSession $session -File
# For each file
ForEach ($f in $files)
{
# Set Variables using File metadata
$filename = $f.FullName
$LastWriteTime = $f.LastWriteTime
$LastWriteTime = Get-Date($LastWriteTime)
$fileSpace = $f.Length
$DateDiff = New-TimeSpan -Start $LastWriteTime -End $current
# Display file information
$message= “File Name: $filename”
Write-Output $message
$message = “File Space: $fileSpace”
Write-Output $message
$message= “File Date/Time: $LastWriteTime”
Write-Output $message
$message = “Time Difference: ” + $DateDiff
Write-Output $message
$message = “Days of Difference: $($DateDiff.Days)”
Write-Output $message
# Search for files older than $daysOld days
if ($DateDiff.Days -gt $daysOld) {
$message = “Deleting File $filename”
Write-Output $message
Remove-SFTPItem -SFTPSession $session -Path $filename -Force
$message = “File $filename deleted”
Write-Output $message
}
Write-Output “—————————————”
}
After copying the code into the editor, click Save and then Publish.
Finally, to make the code run recurrently, select Resources / Schedules in the left menu. Then Add a schedule. In my case, the schedule runs every 8 hours.
There are several ways to store the SFTP Server credentials so that they can be used in the automation script. The simplest way is to store the credentials inside the Automation Account itself, in the Shared Resources / Credentials section. The problem with saving the credentials in the Storage Account is that any user with contributor access in Azure will have access to them. The safest way is to store them in an Azure Key Vault.
Create the following secrets in the Azure Key Vault
Secret Name | Secret Value |
SFTPServer | <SFTP IP or Hostname> |
sftpUsername * | <Storage_Acount_Name>.<SFTP Username> |
sftpPassword | <SFTP Password> |
* The username to be used in the SFTP connection must be a concatenation of the storage account name, a dot sign “.” and the SFTP username created in the storage account.
FortiGate can send a recurring backup file to an SFTP. The configuration depends on the FortiOS version. This script works in version 7.4.2.
This guide provides a solution for backing up and managing the configuration files of FortiGate devices on Azure. The solution involves using an Azure Storage Account, an Automation Account, and a Key Vault. The solution enables the FortiGate devices to securely upload their configuration files to an SFTP server hosted on the storage account. The automation account runs a script that deletes the old configuration files from the SFTP server and keeps only the latest seven versions. The key vault stores the connection information and credentials for the SFTP server and the automation account. The solution is scalable, cost-effective, and easy to deploy.
I hope this solution has been helpful. Feel free to contact us if you have any questions. Thanks!
Let's get in touch and tackle your business challenges together.
Rest assured. We've got you.