Description

This article describes configuring automation stitches to make backups using TFTP over an IPSec tunnel.

Scope

FortiGate.

Solution

Create an Automation Stitch as per the picture below. Go to Security Fabric -> Automation from GUI and select 'Create New'.

In this example, the trigger is scheduled to execute the command 'execute backup config tftp Minjo.cfg 10.187.5.102' every day at 01:09.
The IP address is a host over the IPsec where the backups are being done.

 

Result:

 

 

Do the same steps for the remote FortiGate.

 

 

Result:

 

 

Note: If no IP address is assigned to the tunnel interface (0.0.0.0/0), self-originated SFTP/TFTP traffic will use the source IP from the interface with the lowest index ID. This may result in traffic being dropped due to mismatched IPsec Phase 2 selectors or being denied by a firewall policy.

How to configure an IPSec tunnel: Site-to-site VPN.

 

From the GUI, go to VPN -> IPsec Tunnels and select the tunnel.

In the phase2 selectors tunnel IP address is used as the local, and the TFTP server is used as the remote address.

If it is changed over an IPSec tunnel that is already in use, do not forget to apply new policies and static routes for this implementation.

 

 

The phase2 selectors must match on both FortiGates, therefore, adjust the IPsec tunnel as below:

 

 

Note:
Make sure phase 2 is up before initiating traffic. To check phase 2 status, navigate Dashboard -> Network -> IPSec.


In case phase 2 is not up, refer to this document for more troubleshooting steps: Troubleshooting Tip: Troubleshooting IPsec Site-to... - Fortinet Community  

As a result of the previous steps, it is possible to do a configuration backup using TFTP over an IPsec tunnel:

 

 

Related document:
Automation stitches