Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
anikolov
Staff
Staff

Created on ‎08-30-2021 05:04 AM Edited on ‎07-09-2025 09:52 PM By Moderator

Article Id 197725

Technical Tip: Configure automation backup over IPsec tunnel

Description


This article describes configuring automation stitches to make backups using TFTP over an IPSec tunnel.

 

Scope

 

FortiGate.

Solution

 

Create an Automation Stitch as per the picture below. Go to Security Fabric -> Automation from the GUI and select 'Create New'.

In this example, the trigger is scheduled to execute the command 'execute backup config tftp Minjo.cfg 10.187.5.102' every day at 01:09.
The IP address is a host over the IPsec where the backups are being done.

 
Configure IP addresses in the IPsec tunnels: From the GUI, go to Network -> Interfaces.
 
Under the port where the VPN tunnel is configured, select '+' and select the VPN tunnel. From CLI, check 'get router info routing-table all' to choose a free IP address range to use for the tunnel interface.

In this example:
From the FortiGate, where the backup is stored.
 
 
Result:
 
 
Do the same steps for the remote FortiGate.
 
 
Result:
 
 
Note:
If no IP address is assigned to the tunnel interface (0.0.0.0/0), self-originated SFTP/TFTP traffic will use the source IP from the interface with the lowest index ID: Technical Tip: Self-originating traffic over IPSec VPN (For example ping). This may result in traffic being dropped due to mismatched IPsec Phase 2 selectors or being denied by a firewall policy.
 
Note:
If the phase-2 selectors are wildcard <local 0.0.0.0/0 and remote 0.0.0.0/0>, in that case, configure the IP address on the tunnel interfaces; it is not required to configure the additional phase2 selectors for the tunnel and the server IP.

How to configure an IPSec tunnel: Site-to-site VPN.
 
From the GUI, go to VPN -> IPsec Tunnels and select the tunnel.
In the phase2 selectors tunnel IP address is used as the local, and the TFTP server is used as the remote address.
If it is changed over an IPSec tunnel that is already in use, do not forget to apply new policies and static routes for this implementation.
 
 
The phase2 selectors must match on both FortiGates; therefore, adjust the IPsec tunnel as below:
 
 
Note:
Make sure phase 2 is up before initiating traffic. To check phase 2 status, navigate Dashboard -> Network -> IPSec.

Screenshot 2025-02-03 144121.png
In case phase 2 is not up, refer to this document for more troubleshooting steps: Troubleshooting Tip: Troubleshooting IPsec Site-to... - Fortinet Community  

If it is an IPsec Policy-based VPN, refer to this KB article: Technical Tip : Back up configuration using SFTP via the IPsec Policy based VPN.
As a result of the previous steps, it is possible to do a configuration backup using TFTP over an IPsec tunnel:
 

Another way is to use preferred-source parameter under the static route to specify the source IP that will be used for local or self-originating traffic of FortiGate. More details can be found on Technical Tip: Custom source IP for locally originated TFTP/FTP/SFTP traffic.

Related documents:
Automation stitches
Technical Tip: Custom source IP for locally originated TFTP/FTP/SFTP traffic
9139
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.