Description
This article outlines best practices for configuring FortiGate firewalls to support reliable application-aware backup and replication traffic. Without proper configuration, backup solutions may experience disruptions due to timeouts, SSL/SSH inspection, NAT behavior, or Unified Threat Management (UTM) interference.
Scope
FortiGate, application-aware backup and replication solutions (e.g., Veeam, Commvault, Veritas, etc.)
Solution
Bypass SSL/SSH Inspection (DPI):
- Go to Security Profiles → SSL/SSH Inspection.
- If inspection is applied to backup traffic, disable it or create a custom profile with inspection turned off.
- Create a policy using a custom address group containing all backup-related components to bypass inspection.
Disable or Exclude from UTM Features:
Disable the following for backup-related traffic, or exclude them from inspection profiles if UTM is required:
- Application Control.
- Antivirus.
- Intrusion Prevention System (IPS).
- Web Filtering.
- Data Leak Prevention (DLP).
Create Specific Firewall Policies:
config firewall policy
edit 101
set name "Backup_to_Storage"
set srcintf "ae1"
set dstintf "ae3"
set srcaddr "Backup_Server"
set dstaddr "Backup_Storage"
set action accept
set schedule "always"
set service "ALL"
set nat enable
set logtraffic all
next
end
Address Definitions:
config firewall address
edit "Backup_Server"
set subnet 192.168.1.16 255.255.255.0
next
edit "Backup_Storage"
set subnet 192.168.98.88 255.255.255.0
next
end
Note:
Adjust interface names and address objects according to the network layout.
Tune or Remove Session Helpers:
config system session-helper
show # Identify the ID for RPC
delete <id_of_rpc>
end
Alternatively, bind RPC ports to defined services and bypass session helpers to avoid misclassification.
Increase Session Timeout (Optional):
For long backup jobs:
# Per Policy
config firewall policy
edit <policy_id>
set session-ttl 3600
next
end
# Globally
config system session-ttl
set default 3600
end
Verify NAT and MTU Settings:
- Ensure NAT rules do not interfere with backup traffic.
- Adjust MTU settings if packet fragmentation or performance issues are observed.
Enable Logging for Troubleshooting:
config firewall policy
edit <id>
set logtraffic all
next
end
Open Required Ports:
| Port Range |
Protocol |
Description |
| 10001 |
TCP |
Installer/Agent Communication |
| 9392, 9401 |
TCP |
Management/Monitoring Access |
| 443 |
TCP |
Web UI and API Access |
| 2500–5000 |
TCP |
Data Movement (default range) |
Refer to the backup solution’s documentation for a complete port list.
Conclusion:
Properly configuring FortiGate firewalls ensures the stable and efficient operation of backup solutions. Disabling conflicting security features, optimizing session handling, and defining dedicated policies help avoid performance issues. For ongoing problems, collect relevant logs and consult Fortinet Technical Support.
