I generally have issues with TFTP across VPN tunnels, depending upon the interface order.
It seems that there's no way to define a source IP for "exec backup config tftp" in the same way "exec ping-options source" exists for plain PING.
What I've discovered is that for traffic egressing an interface without an explicit IP assignment, a Fortigate will "assume" the IP of the first interface specified with an address as shown by "config system interface". If that IP happens to be an internal IP that's routable across the tunnel then all is likely well. However, if the first interface with an IP is your WAN address then TFTP doesn't work. FYI, traceroutes across tunnels also shows whatever IP is listed first in "config system interface". The only exception to this is if an IP has been assigned to the tunnel interface itself. This becomes problematic because a unique IP is needed for each tunnel and backup tunnel, if used, unless overlapping subnets is enabled and then there's the pesky remote-IP requirement.
Another workaround is to (hopefully) find an unused interface at the top of "config system interface" and assign it an internally routable IP. As long as the interface isn't administratively "down" (link-down is OK), this will become the new "default" IP for the Fortigate.
Frankly, I'd rather run my tunnel interfaces without an IP. I can deal with using "exec ping-options" for testing but the inability to use TFTP (and similar) is a giant pain.
Thoughts, anyone? I don't have a good way to submit an option like "exec backup source-ip" as a feature request.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.