One of my customers would like to backup FortiGate configuration as part of DRBC (Disaster Recovery and Business Continuity) Solution.
FortiGate supports REST API so it is great solution to periodically get configuration, store it into some file directory and leverage Veeam Backup and Replication solution to backup FortiGate configurations in with company standard protection process.
In this blog post I document all customer's specific design factors and also the solution prototype how to fulfill these factors and backup FortiGate configuration into file directory.
I personally prefer *nix way over Windows, therefore, I will leverage Linux Docker and PowerShell to get information from FortiGate security appliance and put it into file directory. Docker solution could be leveraged on Windows operating systems as well.
If you are interested in details, read on.
Design Factors
Design factors includes Business, Technical, Functional, and Non-functional Requirements,
Business Requirements
BR1: RPO 24 hours - Daily FortiGate configuration backup
BR2: RETENTION 30 days - Keep last 30 days in local storage (Windows Folder)
Technical Requirements
TR1: FortiGate configuration files will be protected by Veeam Backup and Replication Suite.
Functional Requirements
FR1: Store configurations into Windows Folder, because the folder will be protected by Veeam Backup and Replication Suite.
Non-Functional Requirements
NFR1: Store configurations into Windows Folder
NFR2: Use PowerShell as it is native scripting language on Windows Operating System
Constraints
CONS1: PowerShell scripting language.
Assumptions
ASSUMP1: Docker could be installed and run on Windows Operating System used for Veeam Backup and Replication server.
Risks
RISK1: PowerShell script was tested on Linux OS (Docker Container) because I do not have any Windows OS in my home lab.
- There could be some integration challenges when it will be integrated into Windows OS.
- Windows and Backup Engineer will need to install and test Docker on Windows or test/port PowerShell script to MS Windows PowerShell.
- The other alternative is to use dedicated Linux (Debian) OS just to backup FortiGate configurations and install Veeam Agent for Linux to backup file directory with FortiGate configurations.
Test Environment
I have prepared test environment for the solution prototype.
FortiGate Deployment
Source: https://www.youtube.com/watch?v=IFgiqCs5tMI
Personal account has been created on https://support.fortinet.com/
VM Image (FGT_VM64-v7.4.9.M-build2829-FORTINET.out.ovf.zip) for ESXi has been downloaded from Support FortiNet web.
FortiGate VM has been deployed from OVF to VMware vSphere 8.0.3.
FortiGate admin password has been changed.
FortiGate networking was configured over VMware Console
We can verify FortiGate settings
By default FortiGate saves configuration automatically. We can double check it ...
get system global | grep cfg-save
Now we have non-licensed FortiGate available as IP address 192.168.8.15.
FortiGate Licensing
Evaluation license can be applied into newly deployed FortiGate. Here is the process using your personal account on support.fortinet.com you already used to download FortiGate VM image.
Login to Web Management and use your FortiGate appliance credentials (admin + password you have chosen during VM appliance deployment)
Activate license using your e-mail address and password you use in support.fortinet.com
After the license application, the system is rebooted ...
After few seconds, after the system is rebooted, you can login back to web management and continue with FortiGate setup of system with evaluation license.
FortiGate REST API Endpoint
The FortiGate REST API endpoint is enabled by default on the HTTPS management port (usually TCP 443) of any interface configured with https access. Our FortiGate listens on https://192.168.8.15
To properly and securely enable the FortiGate REST API, you need to follow these steps:
Create a REST API Administrator
For security, you should use a special, non-human account with an API key (token) for automation. This is the most crucial step for using the API.
Login to Web Management and use your FortiGate appliance credentials (admin + password) and go to System > Administrators > Create New > REST API Admin
Create new REST API Admin ...
Create new REST API Key ...
What Administrator Profile use for backup FortiGate configuration?
The best and most reliable Administrator Profile to use for a complete and restorable FortiGate configuration backup is the super_admin profile.
Why super_admin is Preferred?
Full Configuration: A non-super_admin profile cannot view the configuration of other super_admin accounts. If you take a backup with a lower-level admin, the resulting config file will be incomplete (it will be missing other super_admin users).
Restorability: If you need to restore the configuration from scratch (e.g., after a factory reset or hardware replacement), using a backup file generated by a non-super_admin account will likely delete all other super_admin accounts, which can lock you out or prevent critical management access.
For the purpose of this demonstration I use following data
- Username: api-automation
- PKI Group: no
- Administrator Profile: super_admin (in production dedicated super_admin user should be created and used)
- Trusted hosts: 192.168.8.0/24 (in production it should be restricted just to backup hosts)
After user creation we have
- FortiGate API KEY for api-automation: Qp8tr8zdmHxnkp0QG4j58scz97pmw8
Solution Prototype
In this section I will describe the solution prototype within test environment.
FortiGate REST API Configuration Overview
FortiGate REST API is available at 192.168.8.15
- VM with FortiGate OS
FortiGate REST API Client is running at 192.168.8.16
- VM with Debian, Docker and dockerized PowerShell
- FortiGate REST API KEY for api-automation: bxg37kQ899603bNNp6p10nnhz3j8Qm
FortiGate REST API test with curl
REST API Access can be tested by following curl command ...
curl --insecure -H "Accept: application/json" -H "Authorization: Bearer bxg37kQ899603bNNp6p10nnhz3j8Qm" https://192.168.8.15/api/v2/monitor/system/status
root@fortigate-backup-client:~/scripts#curl --insecure -H "Accept: application/json" -H "Authorization: Bearer bxg37kQ899603bNNp6p10nnhz3j8Qm" https://192.168.8.15/api/v2/monitor/system/status{"http_method":"GET","results":{"model_name":"FortiGate","model_number":"VM64","model":"FGVM64","hostname":"FGVMEV_OBJU2RF9C","log_disk_status":"available"},"vdom":"root","path":"system","name":"status","status":"success","serial":"FGVMEV_OBJU2RF9C","version":"v7.4.9","build":2829} root@fortigate-backup-client:~/scripts#
FortiGate REST API Client
Installation of Debian Linux OS
This is out of scope. Debian installation is pretty standard procedure.
Instalation of Docker
systemctl enable docker
systemctl start docker
apt install docker-ce docker-ce-cli containerd.io
Pull official and verified Microsoft Powershell
docker pull mcr.microsoft.com/powershell:latest
Run PowerShell Script to check Power Shell Version
FortiGate REST API test with curl
REST API Access can be tested by following curl command from Debian Linux OS where dockerized PowerShell will be used...
curl --insecure -H "Accept: application/json" -H "Authorization: Bearer bxg37kQ899603bNNp6p10nnhz3j8Qm" https://192.168.8.15/api/v2/monitor/system/status
root@fortigate-backup-client:~/scripts#curl --insecure -H "Accept: application/json" -H "Authorization: Bearer bxg37kQ899603bNNp6p10nnhz3j8Qm" https://192.168.8.15/api/v2/monitor/system/status{"http_method":"GET","results":{"model_name":"FortiGate","model_number":"VM64","model":"FGVM64","hostname":"FGVMEV_OBJU2RF9C","log_disk_status":"available"},"vdom":"root","path":"system","name":"status","status":"success","serial":"FGVMEV_OBJU2RF9C","version":"v7.4.9","build":2829} root@fortigate-backup-client:~/scripts#
PowerShell Scripts using FortiGate REST API
Script to check FortiGate Status and Version
Get /root/scripts/get-fortigate-status.ps1 script into directory /root/scripts
Run the powershell script to get FortiGate Version
docker run -v /root/scripts:/root/scripts mcr.microsoft.com/powershell pwsh /root/scripts/get-fortigate-status.ps1
root@fortigate-backup-client:~#docker run -v /root/scripts:/root/scripts mcr.microsoft.com/powershell pwsh /root/scripts/get-fortigate-status.ps1http_method : GET results : @{model_name=FortiGate; model_number=VM64; model=FGVM64; hostname=FGVMEV_OBJU2RF9C; log_disk_status=available} vdom : root path : system name : status status : success serial : FGVMEV_OBJU2RF9C version : v7.4.9 build : 2829 root@fortigate-backup-client:~#
Script to get FortiGate Running Configurations
We already have directory for PowerShell scripts - /root/scripts
We also need another directory where we will store FortiGate configurations - /root/fortigate-conf
Get /root/scripts/get-fortigate-status.ps1 script into directory /root/scripts
Now we can run the command to get FortiGate configuration ...
root@fortigate-backup-client:~#docker run -v /root/scripts:/root/scripts -v /root/fortigate-conf:/root/fortigate-conf mcr.microsoft.com/powershell pwsh /root/scripts/get-fortigate-running-configuration.ps1Full configuration saved. root@fortigate-backup-client:~#
Configuration Retention 30 days
TBD
No comments:
Post a Comment