Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Umesh
Contributor

TFTP - 69 rule is not working

Dear All,

 

I need your small help today I have created rule to backup of the stack switch which is installed behind the FortiGate Firewall.

 

Everything is correct as per my knowledge, tftp port is also enabled, still not able to establish connection between TFTP server & client.

 

Can anyone has any suggestions on it for me.

 

Thank you.

 

1 Solution
Umesh

Hi All,

 

Issue has been resolved as we have to define reverse traffic for both direction.

As the moment I have configured reverse policy (vice versa) after that  I am able to take take configuration backup of the destination devices.

 

Thank you all.

View solution in original post

10 REPLIES 10
srajeswaran
Staff
Staff

Do you see the traffic on the firewall? Can you check the traffic log on Fortigate for the specific server/client IPs.

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

Umesh

Hi Suraj,

 

I have seen on firewall which I had created rule there is no any hit, what can be issue.

srajeswaran

From the client machine are you able to ping the TFTP server? Can you do a traceroute and check if the traffic is on the right path?

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

Toshi_Esumi
Esteemed Contributor III

First, you need to explain where the TFTP server and the clients are located in relation to the FGT interfaces. Then check routing and policies between them. For troubleshooting, start with just sniffing traffic between those interfaces to see if the request packets are coming/going through the interfaces.

 

Toshi

Umesh

Hi Toshi,

 

I would like to tell the scenario how I am trying to take backup through TFTP, here is the below diagram.

 
 

tftp.JPG

policy name - tftp
incoming interface - port2
outgoing interface - port 3
source - 1.1.1.0/24
destination - 5.5.5.0/24
schedule - always
service -tftp 69
action - accept
nat - disabled
okay.


After enabling rule on the firewall, there is no logs. Can you please help us to resolve the issue.

 

Umesh

Hi Toshi,

 

I am able to ping client (5.5.5.2) from  server (1.1.1.2), also  getting traceroute.

srajeswaran

You need policy from port3 to port2.

incoming interface - port3
outgoing interface - port 2

source - 5.5.5.0/24
destination - 1.1.1.0/24
schedule - always
service -tftp 69
action - accept
nat - Interface (just to make sure there is no return route issue)

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

Umesh

Hi All,

 

Issue has been resolved as we have to define reverse traffic for both direction.

As the moment I have configured reverse policy (vice versa) after that  I am able to take take configuration backup of the destination devices.

 

Thank you all.

Umesh
Contributor

Hi,

Why should I choose incoming interface port3 whereas incoming interface would be port as traffic is initiating from PC which server and switch 5.5.5.2 is client.

let me tell you what exactly I need.

I have to take backup of switch which is installed behind the firewall.

tftp server 1.1.1.2

client - 5.5.5.2

from 1.1.1.2 switch 5.5.5.2 is reachable.

 

can you guide me what can be issue.

Labels
Top Kudoed Authors