Troubleshooting Tip: Troubleshooting SFTP configuration backup issues for FortiGate

Since FortiOS v7.0.1, administrators now have the option to backup the configuration file using SFTP. 

When performing a manual SFTP backup config from the FortiGate CLI or when using the same command through a CLI script in an automation stitch fail, it is recommended to check the items listed in this article.

Example error for an unsuccessful backup attempt from FortiGate CLI due to wrong credentials:

The same error will show up for connectivity issues between FortiGate and the SFTP server, and if the users has insufficient privileges.

1. Ensure successful connectivity between FortiGate and the SFTP server.
   
   A simple connectivity test can be performed by running a telnet to the SFTP server's IP address and its SFTP port number:
   
   

execute telnet <IP address or domain name> <SFTP port#>

If the SFTP server cannot be reached by telnet, check the following:

• Verify in the FortiGate if route towards the destination is in place:

get router info routing-table details <SFTP IP address>

• Confirm if the SFTP traffic is going out via the correct interface by simulating the backup while observing the packet sniffer.

diag sniff packet any 'host <SFTP IP address> and port <SFTP port#>' 4 0 l  

After, simulate the traffic.

• Track if the traffic is being blocked by any intermediary device (router, firewall, etc.) between the FortiGate and the SFTP server. Make sure that the SFTP service is allowed in the path towards the SFTP server.

2. Follow the correct syntax for SFTP configuration backup. Make sure that the correct username and password credentials are used for SFTP server access. Under the filename, add the directory where the file should be saved. If a custom port is being used for SFTP, the SFTP port number can be appended.

execute backup config sftp <file name> <SFTP server>[<:SFTP port>] <username> <password>

Below is example CLI output for a successful attempt to create an SFTP configuration backup. The default SFTP port number is TCP port 22.

3. The SFTP server user to be used in the config backup command should have sufficient privileges in the directory where the backup will be saved. This is very important especially when the user to be used in this procedure is a non-root user.
   
   Below are two scenarios where a non-root user 'testpau6' is being utilized for the SFTP configuration backup:

Scenario A:

User 'testpau6' serves as the owner of the /home/testpau6 directory. User permission for the /home/testpau6 directory is 'rwx', so the user 'testpau6' can successfully send backup config in that particular directory.

Successful backup of fgt.conf in the /home/testpau6 directory:

Scenario B: 

User 'testpau6' was added to the 'root' user group. user 'root' serves as the owner of the /backup directory and is also part of the 'root' user group. Group permission for the /backup directory is 'rwx', so the user 'testpau' can successfully send the backup config to that particular directory.

Adding user 'testpau' to the 'root' user group:

Successful backup of fgt.conf in the /backup directory:

Related articles:

• Technical Tip: Backup of configuration file from CLI using FTP.
• Technical Tip: How to send automated backups of the configuration from a FortiGate with an automatio....
• Technical Tip: Automated configuration backups with variable names based on the date.