Skip to content

Back Up and Restore Configuration

The FortiGate config is a single text file. Back it up before any major change, regularly on a schedule, and store copies off-box. Restores are quick when you have the backup.

Back Up

Via GUI

  1. Admin icon (top right) → Configuration → Backup.
  2. Pick scope:
    • Local PC — downloads to your browser.
    • USB — to attached USB drive.
    • FTP / TFTP — to a remote server.
  3. Encryption:
    • Disabled — plaintext config. Easy to read; sensitive (contains hashes, secrets).
    • Enabled — set a password. Required for compliance; the encrypted backup is opaque without password.
  4. Backup.

📸 Screenshot needed

Admin menu → Configuration → Backup dialog, showing destination and encryption toggle.

Via CLI

# Backup to TFTP:
execute backup config tftp <filename>.conf <tftp-server-ip> [<password>]

# Backup to FTP:
execute backup config ftp <filename>.conf <ftp-server-ip> <user> <password> [<encryption-password>]

# Backup full state including secrets:
execute backup full-config tftp <filename>.conf <tftp-server-ip>

Automated / scheduled backups

FortiGate doesn't have a built-in scheduled backup to remote storage. Options:

  • FortiManager — centralizes backups for fleets.
  • Cron + API — write a script on a backup host that uses FortiGate REST API to pull configs periodically.
  • Configuration revision (built-in) — keeps last N config changes on the FortiGate itself; useful for rollback but doesn't survive a wipe.

Restore

Via GUI

  1. Admin icon → Configuration → Restore.
  2. Pick source (Local PC, USB, FTP, TFTP).
  3. Provide encryption password if encrypted.
  4. Restore.
  5. FortiGate reboots and applies.

Via CLI

execute restore config tftp <filename>.conf <tftp-server-ip> [<password>]

Configuration Revisions (built-in history)

System → Configuration Revisions lists recent saved snapshots. You can: - View any snapshot. - Restore to a previous snapshot. - Compare two snapshots (diff).

Useful for "undo the change I just made."

Restore After Hardware Replacement (different unit)

When migrating config to a new device:

  1. Restore as normal.
  2. After reboot: System → FortiGuard → Update licenses now to bind FortiGuard to the new serial.
  3. License entitlements (Antivirus, IPS, etc.) tied to old serial don't transfer — open a Fortinet TAC ticket to request license re-bind.
  4. SD-WAN, HA, FortiAP/FortiSwitch fabric memberships may need re-pairing.

Common Issues

  • Restore says "config from different model" or "different FortiOS version." Cross-model restores often work but may have feature mismatches. Cross-version restores usually require explicitly enabling: set restore options to permit.
  • Restored but interfaces named differently. Different model has different port names. Edit interface assignments after restore.
  • VPN didn't come up after restore. Pre-shared keys are stored encrypted; if the source-box encryption key differs, PSKs won't decrypt. Re-enter PSKs.
  • Backup file corrupted / can't read. Encryption password wrong, or file truncated. Always verify backup file integrity right after backing up.