Back up your configuration on FortiGate 7.0 using Ansible (October 2023 Edition)

1 minute read

Install and setup Ansible

Install and setup Ansible, ensuring that you have the full version that includes the FortiOS collection. For detailed instructions, refer to existing YouTube videos and blog posts.

Assuming you have Ansible set up, an inventory file with your Fortigate listed, let’s continue.

Creating a user for Ansible

Create a REST API user and name it something like ansible_user. It will be set to super_admin_readonly access by default.

Although creating a REST API user with super_admin_readonly access might seem sufficient for backing up the configuration, it isn’t. You will need to grant this user full super_admin access so that you can back up the Fortigate configuration. In the CLI, execute the following commands:

fw1# config system api-user
fw1 (api-user) # edit ansible_user
fw1 (api-user) # set accprofile super_admin
fw1 (api-user) # end

Create a playbook

Create a playbook named “fw-backup.yaml” with the following contents:

---
- hosts: fortigate
  connection: httpapi
  collections:
    - fortinet.fortios
  vars:
    vdom: "root"
    ansible_httpapi_use_ssl: true
    ansible_httpapi_validate_certs: no
    ansible_httpapi_port: 443
    fortios_access_token: "GET_YOUR_OWN"
  tasks:
  - name: Backup a virtual domain.
    fortios_monitor:
     access_token: "{{ fortios_access_token }}"
     selector: 'backup.system.config'
     vdom: "{{ vdom }}"
     params:
         scope: 'global'
    register: backupinfo

  - name: Save the backup information.
    copy:
     content: '{{ backupinfo.meta.raw }}'
     dest: './fw1.cfg'

Run the playbook

Run the playbook using the command:

ansible-playbook fw-backup.yaml

Troubleshooting

If you encounter any issues, remember that troubleshooting with Ansible often requires effective Googling skills. Adding the -vvv flag to the above command can provide additional insights:

ansible-playbook -vvv fw-backup.yaml

On the Fortigate

For debugging on the Fortigate, use the following diagnose commands:

diag debug enable
diag debug application httpsd -1

Note that there will be other debug traffic displayed. Download the session file and use your editor’s search function to navigate. To disable debugging, run:

diag debug reset
diag debug disable

Updated: