FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes how at the time of writing this document, the Backup of configuration file from CLI using FTP is not fully SD-WAN aware, and may cause connectivity issues for self-generated traffic.
Scope
FortiOS.
Solution
FortiOS will initially follow the SD-WAN rules for the Control Channel over port 21, but will fail to do so for the Data Channel and will follow the RIB instead. This will be an issue if there is a single default route pointing to the SD-WAN Zone, and the destinations are controlled by SD-WAN rules, including destinations for IPsec tunnels.
The workaround for this issue is to create specific static routes for the FTP server, using the correct Egress interface. Example:
