Description
This article describes how to configure FortiGate to send locally-generated TFTP backup traffic using a specific source IP. This is especially useful in scenarios where the TFTP server is reachable using an IPsec VPN interface.
Scope
FortiGate v7.4.
Solution
Topology:
config router static
edit <index>
set dst 10.253.108.100 255.255.255.255
set device "FGT-Spoke"
next
end
While 10.253.108.100 is reachable through an IPsec tunnel 'FGT-Spoke', locally-originated traffic to this destination currently fails since it is being sent with an unintended IP address. The HQ side is configured to only allow TFTP traffic sourced from the Spoke's LAN interface IP address 10.253.200.1.
Initially, when the 'execute backup' command is initiated on the FortiGate, the TFTP traffic is observed to use 10.5.146.16 as the source IP instead of the LAN interface IP.
erbium-kvm56 # execute backup config tftp /Spoke_FGT_backup.conf 10.253.108.100
Please wait...
Connect to tftp server 10.253.108.100 ...
Transfer timed out.
Send config file to tftp server via vdom root failed.
Command fail. Return code -1
erbium-kvm56 # diagnose sniffer packet any 'host 10.253.108.100' 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[host 10.253.108.100]
2025-07-06 12:48:18.043365 FGT-Spoke out 10.5.146.16.19881 -> 10.253.108.100.69: udp 16
2025-07-06 12:48:23.043480 FGT-Spoke out 10.5.146.16.19881 -> 10.253.108.100.69: udp 16
Since no IP address is defined for the 'FGT-Spoke' tunnel, the device selects a local IP address with a lower index value.
erbium-kvm56 # diagnose ip address list
IP=10.5.146.16->10.5.146.16/255.255.192.0 index=3 devname=port1
IP=10.5.210.16->10.5.210.16/255.255.192.0 index=4 devname=port2
IP=10.253.200.1->10.253.200.1/255.255.255.0 index=5 devname=port3
IP=10.5.81.69->10.5.81.69/255.255.240.0 index=6 devname=port4
IP=10.99.18.16->10.99.18.16/255.255.192.0 index=7 devname=port5
IP=10.104.18.16->10.104.18.16/255.255.192.0 index=8 devname=port6
Because the port1 interface has a lower interface index than port3, it is expected that the FortiGate will use the port1 IP address as the source IP address when sending out TFTP traffic, instead of the intended IP address.
Starting from v7.4, the source IP of local-out traffic, such as TFTP backup, can be controlled by configuring a preferred-source IP, see Allow better control over the source IP used by each egress interface for local out traffic.
config router static
edit <index>
set dst 10.253.108.100 255.255.255.255
set preferred-source 10.253.200.1
set device "FGT-Spoke"
next
end
The packet capture for TFTP traffic shows that the intended 10.253.200.1 is being used as the source IP address.
erbium-kvm56 # diagnose sniffer packet any 'host 10.253.108.100' 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[host 10.253.108.100]
2025-07-06 15:05:06.381138 FGT-Spoke out 10.253.200.1.17448 -> 10.253.108.100.69: udp 16
2025-07-06 15:05:11.381295 FGT-Spoke out 10.253.200.1.17448 -> 10.253.108.100.69: udp 16
Note:
To allow reply traffic, preferred-source IP should match an existing IP address on the FortiGate or an IP pool with arp-reply enabled. In this example, 10.253.200.1 is already the IP address for port3, so no further changes are required.
Related articles:
Technical Tip: Execute configuration backup over an IPsec tunnel
Technical Tip: Configuring preferred-source in source IP for local-out traffic
