Hi mate,
I had the need to backup some firewall configuration.
I know that there are several ways to do it last but not least FortiManager but..........
Had to do it periodically and for several devices.
I used one the several external module that you can find on the web
(http://www.powershellmagazine.com/2014/07/03/posh-ssh-open-source-ssh-powershell-module/)
I had to adjust some security parameters on the firewall side, please do the same to be sure that this task can be ran in a secure context.
No complications, no tricks, only the essential.
Hope this helps.
See you soon.
UPDATE
Mates,
below a different version of the same script but using a "FTP approach".
Hope you appreciate.
Bye
This comment has been removed by the author.
ReplyDeleteThis is an excellent and highly practical set of PowerShell scripts for automating FortiGate firewall configuration backups! Thanks for sharing both the TFTP and FTP approaches, along with the crucial security considerations.
ReplyDeleteYou've addressed a very common and important sysadmin task: periodic, automated backups of critical network devices. Your use of the Posh-SSH module for secure SSH connectivity from PowerShell is a fantastic choice, making this solution robust and widely applicable.
Key strengths of your scripts and explanation:
Periodicity and Multiple Devices: Clearly designed for automating backups across several FortiGate devices.
Secure Credential Handling: The initial setup for secure string conversion and reading from a file is good practice for automated tasks, preventing plaintext passwords in scripts (though the passwordinclear in the FTP version's invoke-sshcommand would need careful handling or a more secure method for production).
Dynamic Filenaming: Incorporating the date/time into the backup file name is essential for managing multiple backups.
TFTP/FTP Service Management: The scripts' ability to start and stop the TFTP/FTP server services only during the backup window (for security reasons) is a very smart and often overlooked detail.
switch Statement for Customization: Using a switch statement based on firewall IP allows for flexible naming conventions or other per-device commands.
Clear SSH Session Management: New-SSHSession and Remove-SSHSession ensure proper connection handling.
Copying to Secure Destination (FTP version): The final copy-item to a \\secureserver\securefolder\ adds another layer of security by moving backups off the temporary FTP server.
Your practical advice ("No complications, no tricks, only the essential") and emphasis on adjusting firewall security parameters are very valuable. The update with the FTP approach provides a useful alternative depending on the environment.
This is a fantastic resource for network administrators and automation enthusiasts working with FortiGate devices!
For further discussions on network device automation, PowerShell scripting for security, or secure backup strategies, a hacking forum is an excellent place to share and learn.