Technical Tip: Stitch for FTP backup use wan IP

When the Automation stitch executes the FTP backup and the remote server is through an IPsec VPN, the FortiGate will use the Wan IP of the FortiGate to perform the connection.

Follow sniffer as example:

filters=[host 10.19.131.120]
10.913388 VPN_Lab out 192.168.1.10.7921 -> 10.19.131.120.222: syn 272142190
11.909013 VPN_Lab out 192.168.1.10.7921 -> 10.19.131.120.222: syn 272142190

By default, the local out traffic uses the interface IP of lowest index value, hence the source is showing as 192.168.1.10.

Due to Phase 2 selectors or routing from the other site this could impact the FTP connection. To correct this, an IP address in the VPN interface can be configured.

config system interface
    edit "VPN_Lab"
       set vdom "root"
       set ip 172.19.1.1 255.255.255.255
       set remote-ip 172.19.1.2 255.255.255.0
       set snmp-index 9
       set interface "port1"
     next
   end
end

The sniffer shows the IP used for the connection of the VPN.

filters=[host 10.19.131.120]
10.913388 VPN_Lab out 172.19.1.1.7921 -> 10.19.131.120.222: syn 272142190
11.909013 VPN_Lab out 172.19.1.1.7921 -> 10.19.131.120.222: syn 272142190

Note:

This is the expected behavior, it is not possible to configure source IP in the FTP connection.