TFTP - 69 rule is not working

Umesh · ‎07-10-2023

Dear All,

I need your small help today I have created rule to backup of the stack switch which is installed behind the FortiGate Firewall.

Everything is correct as per my knowledge, tftp port is also enabled, still not able to establish connection between TFTP server & client.

Can anyone has any suggestions on it for me.

Thank you.

Umesh · ‎07-12-2023

Hi All,

Issue has been resolved as we have to define reverse traffic for both direction.

As the moment I have configured reverse policy (vice versa) after that I am able to take take configuration backup of the destination devices.

Thank you all.

View solution in original post

srajeswaran · ‎07-10-2023

Do you see the traffic on the firewall? Can you check the traffic log on Fortigate for the specific server/client IPs.

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

Umesh · ‎07-11-2023

Hi Suraj,

I have seen on firewall which I had created rule there is no any hit, what can be issue.

srajeswaran · ‎07-11-2023

From the client machine are you able to ping the TFTP server? Can you do a traceroute and check if the traffic is on the right path?

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

Toshi_Esumi · ‎07-10-2023

First, you need to explain where the TFTP server and the clients are located in relation to the FGT interfaces. Then check routing and policies between them. For troubleshooting, start with just sniffing traffic between those interfaces to see if the request packets are coming/going through the interfaces.

Toshi

Umesh · ‎07-11-2023

Hi Toshi,

I would like to tell the scenario how I am trying to take backup through TFTP, here is the below diagram.

policy name - tftp
incoming interface - port2
outgoing interface - port 3
source - 1.1.1.0/24
destination - 5.5.5.0/24
schedule - always
service -tftp 69
action - accept
nat - disabled
okay.

After enabling rule on the firewall, there is no logs. Can you please help us to resolve the issue.

Umesh · ‎07-11-2023

Hi Toshi,

I am able to ping client (5.5.5.2) from server (1.1.1.2), also getting traceroute.

srajeswaran · ‎07-11-2023

You need policy from port3 to port2.

incoming interface - port3
outgoing interface - port 2

source - 5.5.5.0/24
destination - 1.1.1.0/24
schedule - always
service -tftp 69
action - accept
nat - Interface (just to make sure there is no return route issue)

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

Umesh · ‎07-12-2023

Hi All,

Issue has been resolved as we have to define reverse traffic for both direction.

As the moment I have configured reverse policy (vice versa) after that I am able to take take configuration backup of the destination devices.

Thank you all.

Umesh · ‎07-11-2023

Hi,

Why should I choose incoming interface port3 whereas incoming interface would be port as traffic is initiating from PC which server and switch 5.5.5.2 is client.

let me tell you what exactly I need.

I have to take backup of switch which is installed behind the firewall.

tftp server 1.1.1.2

client - 5.5.5.2

from 1.1.1.2 switch 5.5.5.2 is reachable.

can you guide me what can be issue.