Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Pavan_Chintha
Staff
Staff

Created on ‎04-11-2025 12:04 AM Edited on ‎04-28-2025 04:05 AM By Moderator

Article Id 387238

Technical Tip: Back up configuration using SFTP issue via the IPsec Site to Site Tunnel in policy based mode

Description This article describes a scenario where the backup configuration using SFTP is failing via the IPsec Site-to-Site VPN in policy-based mode.
Scope FortiGate.
Solution

From the CLI, administrators have the option to backup the configuration file using the FTP:

execute backup config sftp </directory/filename> <SFTP server>[<:SFTP port>] <username> <password>


By default, SFTP uses TCP port 22.
The topology is: FGT1 -> IPsec Tunnel (policy-based) -> FGT2 -> SFTP server.

The phase 2 selectors are 0.0.0.0/0 as local and remote subnets in both FortiGates.

Getting the below error while trying to perform the backup in the FGT1 to the SFTP server:

DXB-FW-001 # execute backup full-config sftp /Fortigate_Backup/DXB-FW-001/backup-%%date%%.conf 192.168.64.20 fortinet @EJabr*4pU@habACuBr6
Please wait...
Connect to sftp server 192.168.64.20 ...
Send config file to sftp server via vdom root failed.
Command fail. Return code -1

Telnet to the SFTP server on the SFTP port is also not connecting.

Note:

If no IP address is assigned to the tunnel interface (0.0.0.0/0), self-originated SFTP/TFTP traffic will use the source IP from the interface with the lowest index ID. This traffic will be dropped as the source IP is not allowed in the firewall policy.

So, it is necessary to define the Tunnel Interface IP address in both FortiGates.

FGT1 :
Under Network -> Interfaces, select the IPsec Tunnel Interface and edit it. Set the IP address.

 

For Example:

  • Addressing mode: Manual.
  • IP: 3.3.3.3.
  • Netmask: 255.255.255.255.
  • Remote IP/Netmask: 2.2.2.2/255.255.255.0.


FGT2 :
Set the IP address for the tunnel Interface:

  • Addressing mode: Manual.
  • IP: 2.2.2.2.
  • Netmask: 255.255.255.255.
  • Remote IP/Netmask: 3.3.3.3/255.255.255.0.

As the IPsec VPN is policy-based, the tunnel interface IP addresses need not be part of the Phase 2 selector's local subnet of the IPsec Tunnel but it is required in the route-based VPN.

Ensure to allow the Tunnel IP address of FGT1 (3.3.3.3) in the source of the policy for accessing the SFTP server.

Below is an example of a successful attempt to back up the configuration to the SFTP server on port 22:

 

Successful.png

 

For information about automation backup over route-based VPN, see Technical Tip: Configure automation backup over IPsec tunnel.

 

Related document: 

Technical Tip: How to send automated backups of the configuration from a FortiGate with an automatio...
156
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.