BGP, SD-WAN, and routing configuration

Once the IPsec tunnel has been established, you must configure routing settings on the branch FortiGate to ensure the following operation:

1. Ensuring access to local subnets to FortiSASE for secure internet access (SIA) reply traffic

2. Outgoing routing to FortiSASE for SIA

3. Outgoing routing to WAN connection for direct internet access, if applicable

You can use iBGP or static routing with source NAT to achieve the first objective. You can use static routing alone or static routing with SD-WAN for traffic steering to achieve the second and third objectives.

The example demonstrates the following configuration:

• iBGP for the first objective.
• Static routing with SD-WAN for traffic steering for the second and third objectives

This topic covers the following:

• BGP configuration considerations

• Static routing and SD-WAN configuration considerations

• BGP configuration

• Static routing with SD-WAN configuration

BGP configuration considerations

The branch FortiGate connects to the FortiSASE SD-WAN On-Ramp location and establishes an iBGP peering with it. Using iBGP, the FortiSASE SD-WAN On-Ramp location can learn routes to your network.

The branch FortiGate requires the following BGP settings:

• AS number

• Router ID

• Using iBGP for dynamic routing via overlays

• BGP neighbor IP address for SD-WAN On-Ramp location

• One BGP session per overlay between the branch and the SD-WAN On-Ramp location

This section describes BGP settings that you must configure since the IPsec wizard creates does not include them.

SD-WAN On-Ramp supports routing design using iBGP to learn routes to your local networks behind the branch FortiGate. With this routing design, the On-Ramp location can see the source IP address of the client connected behind the IPsec device.

To use static routing on the branch FortiGate for your routing design, you must configure source NAT on the branch FortiGate firewall policy destined for the On-Ramp location for reply traffic from the On-Ramp location to be routed back to the branch FortiGate. With this routing design, the On-Ramp location only sees the tunnel interface IP address of the FortiGate IPsec device and not the source IP address of the client connected behind the IPsec device.

Static routing and SD-WAN configuration considerations

The administrative distance of the static route using the IPsec tunnel interface varies depending on how IPsec was configured on the branch FortiGate:

• When using the IPsec wizard on the branch FortiGate, a static route to the peer local subnet, 0.0.0.0/0 in the example configuration, using the IPsec tunnel interface is created with a default administrative distance of 10.

• If you configure IPsec on the branch FortiGate as a custom tunnel, then with set add-route enable by default, FortiGate dynamic IPsec route control will add a static route to peer destination selector with a default administrative distance of 15. If the peer destination selector is set to 0.0.0.0/0 then the default static route has an administrative distance of 15.

For routing configuration on the branch FortiGate, you have the following options for routing traffic through the IPsec tunnel acting as a full tunnel to the SD-WAN On-Ramp location:

1. Configure the existing default route using the WAN interface to have the same administrative distance as the default route using the IPsec tunnel interface. Then configure SD-WAN for traffic steering.

2. Configure the existing default route using the WAN interface to have a greater distance (making this the less preferred route) than the static route using the IPsec tunnel interface and just leverage this latter route.

When configuring the static default route for full tunneling, the FortiGate routing table includes connected routes for locally connected subnets. A local DNS server that is directly connected to one of these subnets is accessible without further configuration.

However, if your branch device uses a local DNS server that is on a subnet different than a local interface, then you must configure a new static route for that DNS server to ensure that DNS traffic does not mistakenly route to FortiSASE instead.

This topic gives an example of static routing with SD-WAN for traffic steering.

BGP configuration

To configure BGP using the GUI:

1. On the FortiGate, go to Network > BGP. If you cannot view Network > BGP, go to System > Feature Visibility and enable Advanced Routing in the Core Features column.
2. Confirm that the Local AS field is set to 65001.
3. In the Router ID field, enter 10.251.1.1, which corresponds to the tunnel interface IP that the SD-WAN On-Ramp location assigned via mode configuration.
4. Under Neighbors, click + Create New.
   1. For IP, enter Tunnel interface IP from the Edge Devices > SD-WAN On-Ramp > On-Ramp locations page.
   2. For Remote AS, enter 65001.
   3. In the options, enable Soft reconfiguration and Capability: route refresh.
   4. Click OK.
5. Under Networks, add the LAN subnets in the IP/Netmask field. Click + to add more subnets, if necessary.
6. Click Apply.

Static routing with SD-WAN configuration

The following network topology and configuration provide a basic SD-WAN example applied to branch FortiGate use cases for direct internet access and SIA with FortiSASE. For details and other use cases, see SD-WAN quick start, SD-WAN members and zones, Performance SLA, and SD-WAN rules.

The following network topology is used for the static routing and SD-WAN configuration:

For this topology, we have a single underlay interface WAN1 and single overlay interface VPN1, and corresponding virtual-wan-link and VPN SD-WAN zones, respectively. The virtual-wan-link SD-WAN zone is used for direct Internet access for critical, latency-sensitive traffic that bypasses FortiSASE and the VPN SD-WAN zone is used for secure Internet access through FortiSASE. In example, traffic to example.com is considered critical and latency sensitive.

To configure static routing in preparation for SD-WAN:

1. On the FortiGate, go to Network > Static Routes.

2. Click to select the route with the Destination of 0.0.0.0/0 and Interface set to the WAN interface.

3. Click Edit in CLI.

   1. If the IPsec wizard was previously used, enter these CLI commands to configure distance equal to the static route created by the wizard (note that this step can be skipped if a default static route was manually created for the WAN interface previously since static routes default to a distance of 10):

      set distance 10
      show
      end
      

   2. If the IPsec Custom tunnel option was used, enter these CLI commands to configure distance equal to the static route added by dynamic IP route control:

      set distance 15
      show
      end
      

4. Go to Dashboard > Network and in the Routing widget click Expand to full screen. By default, the Static & Dynamic view should be selected from the dropdown at the top-right.

5. Confirm that both the route for the WAN interface and the route for the IPsec tunnel interface as visible as two separate entries in the routing table:

   Route for WAN interface:

   Field	Value
   Network	0.0.0.0/0
   Gateway IP	<Default gateway corresponding to WAN interface>
   Interfaces	<Name of WAN interface>
   Distance	10 if IPsec wizard previously used 15 if IPsec Custom tunnel previously used
   Type	Static

   Route for IPsec tunnel interface:

   Field	Value
   Network	0.0.0.0/0
   Gateway IP	<Blank>
   Interfaces	<Name of IPsec tunnel interface>
   Distance	10 if IPsec wizard previously used 15 if IPsec Custom tunnel previously used
   Type	Static

To configure SD-WAN for traffic steering:

1. On the FortiGate, go to Policy & Objects > Firewall Policy.

2. Select any firewall policies where the WAN or IPsec tunnel interfaces are either configured as source or destination interfaces by holding CTRL and clicking on policies. Click on Delete to delete them. This is required to select these interfaces as SD-WAN members.

3. Create a new VPN zone and assign member interfaces to SD-WAN zones.

   1. Go to Network > SD-WAN and select the SD-WAN Zones tab.

   2. Select virtual-wan-link and click Edit.

      1. Set the Interface members to wan1.

      2. Click OK.

   3. Click Create New > SD-WAN Zone.

      1. Enter the Name as VPN.

      2. Set the Interface members to VPN1.

      3. Click OK.

4. Create a new performance SLA to detect latency.

   1. Go to Network > SD-WAN and select the Performance SLAs tab.

   2. Click Create New.

   3. In the New Performance SLA page, enter these values (leave unspecified values to default values):

      Field	Value
      Name	Internet
      Probe mode	Active
      Protocol	Ping
      Server	8.8.8.8
      Participants	Click Specify. Select VPN1, then wan1, and click Close.
      SLA Target	Enabled
      Latency threshold	Enabled Set to 170 ms.
      Jitter threshold	Disabled
      Packet loss threshold	Disabled

   4. Click OK.

5. Create an SD-WAN rule for critical direct Internet access traffic only. In this example, any traffic to example.com will bypass FortiSASE and will use the branch FortiGate WAN interface directly.

   1. Go to Network > SD-WAN and select the SD-WAN Rules tab.

   2. Click Create new.

   3. In the Priority Rule page, enter the following values. Leave unspecified values to default values.

      Field	Value
      Name	Critical-DIA
      Status	Enabled
      Source
      Address	all
      Destination
      Address	Click on +. Click +Create. Click +Firewall Address. Create a New Address. Set the Name as example.com. Set the Type as FQDN. Set FQDN as example.com. Set the Interface as any. Set the Static route configuration as Disabled. Click OK. The newly created FQDN should be selected. Click Close.
      Protocol number	ANY
      Interface selection strategy	Lowest cost (SLA)
      Interface preference	Select wan1 and then VPN1. Click Close.
      Required SLA target	Internet#1

   4. Click OK.

6. Create an SD-WAN rule low priority secure Internet access traffic only.

   1. Go to Network > SD-WAN and select the SD-WAN Rules tab.

   2. Click Create new.

   3. In the Priority Rule page, enter the following values. Leave unspecified values to default values.

      Field	Value
      Name	Low-Priority-SIA
      Status	Enabled
      Source
      Address	all
      Destination
      Address	all
      Protocol number	ANY
      Interface selection strategy	Lowest cost (SLA)
      Interface preference	Select VPN1 and then wan1. Click Close.
      Required SLA target	Internet#1

   4. Click OK.

7. Create a firewall policy to allow direct Internet access traffic:

   1. Go to Policy & Objects > Firewall Policy.

   2. Click Create new.

   3. In the New Policy page, enter the following values. Leave unspecified values to default values.

      Field	Value
      Name	Direct Internet Access
      Incoming Interface	lan
      Outgoing Interface	virtual-wan-link
      Source	all
      Destination	all
      Service	ALL
      NAT	Enabled
      IP Pool Configuration	Use Outgoing Interface Address
      Log Allowed Traffic	Enabled Select All Sessions.

   4. Click OK.

8. Create a firewall policy to allow secure Internet access traffic:

   1. Go to Policy & Objects > Firewall Policy.

   2. Click Create new.

   3. In the New Policy page, enter the following values. Leave unspecified values to default values.

      Field	Value
      Name	Secure Internet Access
      Incoming Interface	lan
      Outgoing Interface	VPN
      Source	all
      Destination	all
      Service	ALL
      NAT	Disabled
      Log Allowed Traffic	Enabled Select All Sessions.

   4. Click OK.