Basic BGP example

In this example, BGP is configured on two FortiGate devices. The FortiGates are geographically separated, and form iBGP peering over a VPN connection. FGT_A also forms eBGP peering with ISP2.

FGT_A learns routes from ISP2 and redistributes them to FGT_B while preventing any iBGP routes from being advertised.

The internal networks behind the FortiGates can communicate with each other, and the internal networks behind FGT_B can traverse FGT_A to reach networks that are advertised by ISP2.

  • FGT_A and FGT_B have static routes to each other through ISP1. ISP1 does not participate in BGP.

  • The IPsec VPN tunnel between FGT_A and FGT_B is configured with wildcard 0.0.0.0/0 networks for phase2 local and remote selectors. The VPN interfaces have IP addresses already configured and are used for peering between FGT_A and FGT_B.

  • FGT_A is configure to peer with ISP2 on 10.10.108.86.

  • The firewall policies between FGT_A and FGT_B are not NATed. The firewall policies egressing on wan2 are NATed.

Configuring iBGP peering

To configure FGT_A to establish iBGP peering with FGT_B in the GUI:
  1. Go to Network > BGP.

  2. Set Local AS to 64511

  3. Set Router ID to 1.1.1.1.

  4. In the Neighbors table, click Create New and set the following:

    IP

    10.100.201.88

    Remote AS

    64511

  5. Click OK.

  6. Under Networks, set IP/Netmask to 192.168.86.0/24.

  7. Click Apply.

  8. In the CLI, set the interface used as the source IP address of the TCP connection (where the BGP session, TCP/179, is connecting from) for the neighbor (update-source) to toFGTB.

To configure FGT_A to establish iBGP peering with FGT_B in the CLI:
config router bgp
    set as 64511
    set router-id 1.1.1.1
    config neighbor
        edit "10.100.201.88"
            set remote-as 64511
            set update-source "toFGTB"
        next
    end
    config network
        edit 1
            set prefix 192.168.86.0 255.255.255.0
        next
    end
end
To configure FGT_B to establish iBGP peering with FGT_A in the GUI:
  1. Go to Network > BGP.

  2. Set Local AS to 64511

  3. Set Router ID to 2.2.2.2.

  4. In the Neighbors table, click Create New and set the following:

    IP

    10.100.201.86

    Remote AS

    64511

  5. Click OK.

  6. Under Networks, set IP/Netmask to 192.168.88.0/24.

  7. Click Apply.

  8. In the CLI, set the interface used as the source IP address of the TCP connection (where the BGP session, TCP/179, is connecting from) for the neighbor (update-source) to toFGTA.

To configure FGT_B to establish iBGP peering with FGT_A in the CLI:
config router bgp
    set as 64511
    set router-id 2.2.2.2
    config neighbor
        edit "10.100.201.86"
            set remote-as 64511
            set update-source "toFGTA"
        next
    end
    config network
        edit 1
            set prefix 192.168.88.0 255.255.255.0
        next
    end
end
To check the FGT_A and FGT_B peering:
  1. Check the BGP neighbors:

    # get router info bgp neighbors
  2. Check the networks learned from neighbors:

    # get router info bgp network
  3. Check that the routes are added to the routing table:

    # get router info routing-table all

To see the neighborship status, network, and routing table command outputs for the completed example, see Troubleshooting and debugging.

Configuring eBGP peering

By establishing eBGP peering with ISP2, learned routes will have a distance of 20 and will automatically be propagated to iBGP peers. iBGP peers do not change the next hop when they advertise a route. To make FGT_B receive a route with FGT_A as the next hop, and not ISP 2's network, Next hop self (next-hop-self) is enabled for routes advertised to FGT_B.

Additionally, to peer with another router that is multiple hops away, enable ebg-enforce-multihop in the neighbor configuration.

In this example, the iBGP routes are automatically advertised to the eBGP neighbor, so a route map is created to deny iBGP routes from being advertised to ISP 2. Prefixes from ISP 2 are advertised to FGT_A and FGT_B, but no prefixes are advertised from FGT_A to ISP 2.

To configure FGT_A to establish eBGP peering with ISP 2 in the GUI:
  1. Configure a route map to prevent advertisement of iBGP routes to ISP 2:

    1. Go to Network > Routing Objects and click Create New > Route Map.

    2. Set Name to exclude1.

    3. In the Rules table, click Create New.

    4. Set Action to Deny.

    5. Under Other Rule Variables, enable Match origin and set it to IGP.

    6. Click OK.

    7. Click OK.

  2. Update the BGP configuration:

    1. Go to Network > BGP.

    2. In the Neighbors table, click Create New and set the following:

      IP

      10.10.102.87

      Remote AS

      64512

      Route map out

      exclude1

    3. Click OK.

    4. In the Neighbors table, edit the previously created entry, 10.100.201.88.

    5. Under IPv4 Filtering, select Next hop self.

    6. Click OK.

    7. Click Apply.

To configure FGT_A to establish eBGP peering with ISP