This article describes how it is possible to achieve the requirement of routing local traffic for backup configuration through a specific interface.
Table of Contents
Scope
FortiGate.
Solution
There are some requirements when wanting to specify outgoing traffic for backup traffic.
FGT—–IPSEC Tunnel—–TFTP Server (172.20.0.1).
Assume a scenario when using an external device that does SSH on FortiGate, takes backup, and saves to TFTP. It is similar to running execute backup config tftp config.txt 172.20.0.1 on the FortiGate CLI. It is expected traffic to leave outside the IPsec tunnel as the Server is across the tunnel, but it is leaving outside through internal 5.
2024-07-17 12:59:47.244681 internal5 out 1.1.1.1.20631 -> 172.20.0.1.69: udp 27 2024-07-17 12:59:52.264230 internal5 out 1.1.1.1.20631.20631 -> 172.20.0.1.69: udp 27 2024-07-17 12:59:57.274255 internal5 1.1.1.1.20631.20631 -> 172.20.0.1.69: udp 27
While checking the route for the TFTP server with get router info routing-table details 172.20.0.1, it shows the route is active through the IPsec tunnel and internal 5 interfaces, as both are part of the SD-WAN. Since this is local traffic, it can choose any interface while leaving, and there is no option on the device to specify an interface for this traffic.
Steps to Fix This
Before Version 7.4.1
- There is no way to specify the interface for execute backup config tftp config.txt 172.20.0.1.
- It is necessary to define a static route for the destination 172.20.0.1/32 that points traffic to the tunnel interface.
In Version 7.4.1
- A new feature was introduced that ensures backup traffic always follows SD-WAN rules.
- Note that while there is no command to specify the interface, it should follow the SD-WAN rules by default.