Description
This article describes configuring automation stitches to make backups using TFTP over an IPSec tunnel.
Scope
FortiGate.
Solution
Create an Automation Stitch as per the picture below. Go to Security Fabric -> Automation from GUI and select 'Create New'.
In this example, the trigger is scheduled to execute the command 'execute backup config tftp Minjo.cfg 10.187.5.102' every day at 01:09.
The IP address is a host over the IPsec where the backups are being done.
Configure IP addresses in the IPsec tunnels: From the GUI, go to Network -> Interfaces.
Under the port where the VPN tunnel is configured, select '+' and select the VPN tunnel. From CLI, check 'get router info routing-table all' to choose a free IP address range to use for the tunnel interface.
In this example:
From the fortiGate where the backup is settled.
Result:
Do the same steps for the remote FortiGate.
Result:
Note:
Note:
If the phase-2 selectors are wildcard <local 0.0.0.0/0 and remote 0.0.0.0/0>, in that case configure the IP address on the tunnel interfaces, it is not required to configure the additional phase2 selectors for the tunnel and the server IP.
From the GUI, go to VPN -> IPsec Tunnels and select the tunnel.
In the phase2 selectors tunnel IP address is used as the local, and the TFTP server is used as the remote address.
If it is changed over an IPSec tunnel that is already in use, do not forget to apply new policies and static routes for this implementation.
The phase2 selectors must match on both FortiGates, therefore, adjust the IPsec tunnel as below:
As a result of the previous steps, it is possible to do a configuration backup using TFTP over an IPsec tunnel: