FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Jonathan_Body_FTNT
Article Id 196889

Description
This article explains the utilization of the "execute backup config" and the "execute backup full-config" and the expected output available in the saved configuration files.

Scope
All FortiOS versions

Solution
When performing an "execute backup" of the configuration file on the FortiGate, there are 2 ways this file can be saved either as a "config" or as a "full-config".

The difference can be described in the following way:

When navigating on the CLI, if you were to perform a "show config" this will show the configuration in its basic format, however performing the  "show full-config" you are effectively asking the FortiGate to show everything including the default values:-

show full = show + default values

This can also be true of the way the FortiGate saves the configuration files within the 2 scenarios either as a "config" or a "full-config", the "full-config" will include also all default values within the saved file.

For example here below we save a full-config file from a device via ftp to a ftp server:-



FGT200A-1 # execute backup full-config ftp fgt.200A_full.conf 192.168.183.2 fortinet fortinet

Please wait...
Please wait...

Connect to ftp server 192.168.183.2 ...
Send config file to ftp server OK.



Previously as an "execute backup config" was performed we can compare the output from 2 sub-menus for a protection profile "unfiltered", this is the excerpts from the "execute backup config" and "exec backup full-config"

"execute backup config"

    edit "unfiltered"
            config log
                set log-web-ftgd-err enable
            end
        set ftp no-content-summary
        set http no-content-summary
        set https no-content-summary
        set imap fragmail no-content-summary
        set pop3 fragmail no-content-summary
        set smtp fragmail no-content-summary splice
        set nntp no-content-summary
            config app-recognition
                edit "http"
                    set port 80
                next
                edit "https"
                    set port 443
                next
                edit "smtp"
                    set port 25
                next
                edit "pop3"
                    set port 110
                next
                edit "imap"
                    set port 143
                next
                edit "nntp"
                    set port 119
                next
                edit "ftp"
                    set port 21
                next
            end
        unset im
        unset http-post-lang
        set ftgd-wf-options strict-blocking
        set ftgd-wf-https-options strict-blocking
    next
end

 


"execute backup full-config"

edit "unfiltered"
        set webbwordthreshold 10
        set spambwordthreshold 10
        set httpoversizelimit 10
        set ftpoversizelimit 10
        set imapoversizelimit 10
        set pop3oversizelimit 10
        set smtpoversizelimit 10
        set imoversizelimit 10
        set nntpoversizelimit 10
            config log
                set log-app-ctrl disable
                set log-av-block disable
                set log-av-oversize disable
                set log-av-virus disable
                set log-dlp disable
                set log-ips disable
                set log-spam disable
                set log-web-content disable
                set log-web-filter-activex disable
                set log-web-filter-applet disable
                set log-web-filter-cookie disable
                set log-web-ftgd-err enable
                set log-web-invalid-domain enable
                set log-web-url disable
            end
        set ftp no-content-summary
        set http no-content-summary
        set https no-content-summary
        set http-retry-count 0
        set imap fragmail no-content-summary
        set pop3 fragmail no-content-summary
        set smtp fragmail no-content-summary splice
        set smtp-spamaction discard
        set smtp-spamtagtype subject spaminfo
        set smtp-spamtagmsg "Spam"
        set smtp-spamhdrip disable
        set smtp-spam-localoverride disable
        set pop3-spamaction tag
        set pop3-spamtagtype subject spaminfo
        set pop3-spamtagmsg "Spam"
        set nac-quar-infected none
        set imap-spamaction tag
        set imap-spamtagtype subject spaminfo
        set imap-spamtagmsg "Spam"
        set filepattable 0
        set webbwordtable 0
        set weburlfiltertable 0
        set spambwordtable 0
        set spamemaddrtable 0
        set spamipbwltable 0
        set spammheadertable 0
        set spamrbltable 0
        set spamiptrusttable 0
        set content-header-list 0
        set nntp no-content-summary
        set ips-sensor-status disable
        set application-list-status disable
            config app-recognition
                edit "http"
                    set inspect-all disable
                    set port 80
                next
                edit "https"
                    set inspect-all disable
                    set port 443
                next
                edit "smtp"
                    set inspect-all disable
                    set port 25
                next
                edit "pop3"
                    set inspect-all disable
                    set port 110
                next
                edit "imap"
                    set inspect-all disable
                    set port 143
                next
                edit "nntp"
                    set inspect-all disable
                    set port 119
                next
                edit "ftp"
                    set inspect-all disable
                    set port 21
                next
            end
        set mailsig-status disable
        set mail-sig ''
        unset im
        set comment ''
        set dlp-sensor-table ''
        unset http-post-lang
        set replacemsg-group "default"
        set httpcomfortinterval 10
        set ftpcomfortinterval 10
        set httpcomfortamount 1
        set ftpcomfortamount 1
        set httppostaction normal
        unset safesearch
        set ftgd-wf-options strict-blocking
        set ftgd-wf-https-options strict-blocking
        set ftgd-wf-enable g01 g02 g03 g04 g05 g06 g07 g08 g21 c01 c02 c03 c04 c05 c06
        set ftgd-wf-disable g22
        set ftgd-wf-allow all
        unset ftgd-wf-log
        unset ftgd-wf-ovrd
    next
end

 

 

Contributors