backup via TFTP function using WAN... how can we set the source-ip and interface?

kelv1n · ‎03-03-2015

Hi Guys

We have an NCM on a server which connects to our Fortigate across a VPN, it logs into the Fortigate via SSH and fires off

execute backup config tftp <backup_filename> <tftp_servers> <password>

The problem we have is the Fortigate is trying to send this traffic via our WAN interface. We had a similar issue with FortiManager/FortiAnalyzer, but we fixed this by configuring this in the CLI as the FortiManager/FortiAnalyzer sections have specific config "source-ip" parameter, which when set to the Fortigates LAN IP, forces this traffic to go via that interface.

How can we achieve this for TFTP?

Many thanks

Kelvin

rdumitrescu · ‎03-03-2015

Hi,

If I understood it well you have an IPSec VPN between Fortigate and your server. So supposing that on the left side you have your server and on the right side the fortigate. The tftp server is the same as the server that connect via SSH to the firewall? If not, does it belongs to the same network?

I think that is a routing problem, because the firewall decide the exit interface (source ip) after the routing lookup.

Regards, Radu

kelv1n · ‎03-03-2015

Hi Radu

That what we initially thought, but its definitely not. What we're experiencing is as described here -

http://kb.fortinet.com/kb/documentLink.do?externalID=FD32459

"By default, the source IP is the one from the FortiGate egress interface."

Perhaps I'm mis-reading this, this would be where ever 0.0.0.0/0.0.0.0 is routed to... which would be the WAN interface.

They offer a solution for SNMP, Syslog etc, but not TFTP.

kelv1n · ‎03-03-2015

Sorry, I should be a bit more specific on this, I think I might have caused some confusion whilst mentioning interface.

Traffic originating from the Firewall is being with our WAN IP as the source-ip, but the Firewall is trying to route this down the VPN interface.

Its as if the traffic is going Firewall -> WAN Source IP/Interface -> VPN

Which of course will not work, as there is no routing from WAN->VPN, nor would policies allow it.

What we need is Firewall -> LAN Source IP/Interface -> VPN

rdumitrescu · ‎03-03-2015

Hi, Unfortunately I don't know for sure if you can set the source-ip for the TFTP. But I think you could try an workaround. I'm pretty sure that the tunnel interface is unnumbered. If it's possible for your environment, try to assign an IP to the tunnel interface. According to the Fortinet documentation the source-ip should be the IP assigned to the egress interface. Obviously in this case you have to write an additional route at the other side. Regards, Radu

dombilod1 · ‎04-08-2015

Hi,

I have the exact same issue. Have you found a way to make it work ?

Thanks,

Adrian_Lewis · ‎04-08-2015

As has been mentioned, there isn't a way to set the source IP of a backup so you need to ensure that the IPsec VPN is interface based, that there is an IP configured on the virtual interface, and that it's allowed in any corresponding firewall policies. In general though, I'd avoid using tftp over a wan as it can take a very long time or just fail if there's much in the way of congestion or other sources of packet loss.

What would solve both the routing and packet loss issue would be to use SCP (If this is an option for the NMS in question). There's a KB article - just search for scp and it should be on of the top results. It doesn't rely on the FortiGate creating a new connection as all the data is transferred over the same session that is initiated from the NMS. It's more of a pull than a request to push for the config file.