This simple script makes it easy to perform backups of multiple Fortigate firewalls. It reads a list of Fortigates from a CSV file, performs a backup of each one, and saves the backup file to a local directory.
- Python 3.6 or newer
- Requests module
Clone the project
git clone https://github.com/mcarneir0/fortigate-backup-api.gitGo to project folder.
cd fortigate-backup-apiInstall dependencies.
pip install -r requirements.txtAdd the details of each Fortigate to backup in the fortigates.csv file and then you can perform the backup by two ways:
- Run the
fgt-backup.pyfile to perform a backup of all Fortigates without user input. Useful for use with cron job or scheduled tasks.python fgt-backup.py
- Run the
manual-backup.pyfile to display a list with all Fortigates and then select which Fortigates will be backed up.python manual-backup.py
The fortigates.csv file should have the following format:
name,ip_1,ip_2,token
Fortigate1,192.168.1.1,,xxxxxxxxxxxxxxxxx
Fortigate2,10.0.0.1:9999,myfortigate.fortiddns.com:9999,yyyyyyyyyyyyyyyyy
Tip
FQDN addresses can be used too!
Where:
name: A name to identify the Fortigateip_1: Primary IP/FQDN address of the Fortigateip_2: Secondary IP/FQDN address of the Fortigate (optional)token: API key provided by the Fortigate
- If you are using a custom administrative port (other than 443) you should include with the IP address with
<IP>:<PORT>format. - If your Fortigate does not have a secondary IP address, just leave it blank as
Fortigate1example.
By default, the script verifies the SSL certificate of the Fortigates. If you have self-signed certificates, you may want to disable this feature. To do so, uncomment the following two lines at the beginning of the script:
requests.packages.urllib3.disable_warnings()
req.verify = FalseThe script creates two folders:
backups: Contains the backup files.logs: Contains the log files.
The backup files are saved in a subfolder on backups with the current date in the format mm-dd-yyyy.
The log files are saved in the logs folder with the name bkp-<current_date>.log.
The main reason to use the API key is that you don't need to enter your login credentials anywhere or access the firewall directly.
But to do it so you need to create a REST API Admin with super_admin rights firstly. Follow the steps below.
Login to the firewall GUI with your credentials and make sure you have super_admin rights.
Click on System > Admin Profiles and create a new Admin Profile with no permissions.
Click on System > Administrators and create a new REST API Admin.
Insert a username, comments (optional), select the administrator profile created, disable PKI Group and CORS.
Important
Trusted Hosts is optional on FortiOS 7.x but mandatory on 6.x versions.
Warning
It is strongly recommended that you fill in your IP or network range in Trusted Hosts to ensure that only requests made from these addresses are accepted; otherwise, anyone with access to the API token could have unrestricted and/or unauthorized access to the firewall.
Click OK and you will be prompted to store the generated API key in a secure location. Remember that this key will not be fully displayed again, so if you lose it, you will have to generate another one.
That's why we created that temporary profile earlier, Fortigate doesn't allow creating super_admin REST API users directly. But this permission is needed to backup other super_admin users you may have on the firewall.
To do this, you need to run the following commands in the CLI Console, click on the option in the upper right corner to open it.
# config system api-user
(api-user) edit <username>
(<username>) set accprofile super_admin
(<username>) set vdom root
(<username>) next
(api-user) end 
Now close the CLI, delete the temporary user profile and you're good to go.
- Python 3.6.8 / 3.10.x / 3.11.x / 3.12.x
- FortiOS 6.0.x / 6.2.x / 7.0.x / 7.2.x / 7.4.5 / 7.6.1
- 2024/10/12: Utilise authorisation bearer header instead of old method of inserting API key into URL, as mentioned in this forum thread.
- Thanks to @wintermute000
- See #2 and #3
- FortiGate REST API Token Authentication
- Technical Tip: Get backup config file on FortiGate using RestAPI via Python script
This project is licensed under the GPL-2.0 License - see the LICENSE file for details.