Fortinet black logo

FortiGate NGFW to FortiSASE SPA Hub Conversion Deployment Guide

Home FortiSASE FortiGate NGFW to FortiSASE SPA Hub Conversion Deployment Guide

BGP configuration

BGP configuration

FortiSASE security points of presence (PoP) connect to the hub FortiGate and establish iBGP peering. FortiSASE security PoPs learn routes to your network but do not advertise any route except their router-id IP address.

The hub FortiGate requires the following BGP settings:

  • AS number
  • Router ID
  • Using iBGP for dynamic routing via overlays
  • BGP neighbor IP address for each overlay
  • BGP neighbor group configured on the hub to dynamically peer with FortiSASE security PoPs

  • For BGP per overlay, BGP peering is done via the IP addresses allocated to the VPN Tunnel interfaces via IKE mode configuration. In this configuration example, the IP address range is 192.168.10.1-192.168.10.252. Therefore, in the BGP settings, the neighbor range needs to be the same as the IKE mode configuration tunnel IP address assignment.

  • One BGP session per overlay between the hub and each FortiSASE security PoP

The IPsec wizard automatically configures the aforementioned settings, except for the router ID. This topic provides the configuration for reference purposes. Note the following:

  • For using iBGP for dynamic routing via overlays, local networks to be advertised are specified via Networks section.
  • The following are configured via the Neighbor Ranges section:
    • BGP neighbor IP address for each overlay is configured via Neighbor Ranges section.
    • BGP neighbor group configured on the hub to dynamically peer with FortiSASE security PoPs

This section describes additional BGP settings that you must configure since the configuration that the IPsec wizard creates does not include them.

To configure BGP using the GUI:
Note

The following settings are only examples. Do not consider them as recommended settings.
Note

If you cannot view the Network > BGP tree menu, go to System > Feature Visibility and enable Advanced Routing in the Core Features column.
  1. Go to Network > BGP.
  2. Confirm that the Local AS field is set to 65001.
  3. In the Router ID field, enter 10.1.0.254, which is the loopback interface IP address.

  4. Under Neighbors, click the neighbor entry, then click Delete. Click OK in the dialog.

  5. In the Neighbor Groups section, select the neighbor group that the IPsec wizard created. For example, click VPN1, then click Edit:
    1. From the Interface dropdown list, select the VPN tunnel interface of the hub used to listen for spoke VPN connections. This example selects VPN1.
    2. Click OK.

  6. Under Advanced Options, configure the following:
    1. In the Keepalive field, enter 60.
    2. Enable Holdtime and enter 180.
    3. Enable Background scan and enter 60.

  7. Click Apply.
  8. Configure the following CLI options. Replace VPN1 with the name of the neighbor group that you configured. These options are not available in the GUI and you must run these CLI commands to configure them: 
     config router bgp
   config neighbor-group
        edit "VPN1"
            set link-down-failover enable
            set additional-path both
            set adv-additional-path 4
        next
    end
end
Previous
Next

BGP configuration

FortiSASE security points of presence (PoP) connect to the hub FortiGate and establish iBGP peering. FortiSASE security PoPs learn routes to your network but do not advertise any route except their router-id IP address.

The hub FortiGate requires the following BGP settings:

  • AS number
  • Router ID
  • Using iBGP for dynamic routing via overlays
  • BGP neighbor IP address for each overlay
  • BGP neighbor group configured on the hub to dynamically peer with FortiSASE security PoPs

  • For BGP per overlay, BGP peering is done via the IP addresses allocated to the VPN Tunnel interfaces via IKE mode configuration. In this configuration example, the IP address range is 192.168.10.1-192.168.10.252. Therefore, in the BGP settings, the neighbor range needs to be the same as the IKE mode configuration tunnel IP address assignment.

  • One BGP session per overlay between the hub and each FortiSASE security PoP

The IPsec wizard automatically configures the aforementioned settings, except for the router ID. This topic provides the configuration for reference purposes. Note the following:

  • For using iBGP for dynamic routing via overlays, local networks to be advertised are specified via Networks section.
  • The following are configured via the Neighbor Ranges section:
    • BGP neighbor IP address for each overlay is configured via Neighbor Ranges section.
    • BGP neighbor group configured on the hub to dynamically peer with FortiSASE security PoPs

This section describes additional BGP settings that you must configure since the configuration that the IPsec wizard creates does not include them.

To configure BGP using the GUI:
Note

The following settings are only examples. Do not consider them as recommended settings.
Note

If you cannot view the Network > BGP tree menu, go to System > Feature Visibility and enable Advanced Routing in the Core Features column.
  1. Go to Network > BGP.
  2. Confirm that the Local AS field is set to 65001.
  3. In the Router ID field, enter 10.1.0.254, which is the loopback interface IP address.

  4. Under Neighbors, click the neighbor entry, then click Delete. Click OK in the dialog.

  5. In the Neighbor Groups section, select the neighbor group that the IPsec wizard created. For example, click VPN1, then click Edit:
    1. From the Interface dropdown list, select the VPN tunnel interface of the hub used to listen for spoke VPN connections. This example selects VPN1.
    2. Click OK.

  6. Under Advanced Options, configure the following:
    1. In the Keepalive field, enter 60.
    2. Enable Holdtime and enter 180.
    3. Enable Background scan and enter 60.

  7. Click Apply.
  8. Configure the following CLI options. Replace VPN1 with the name of the neighbor group that you configured. These options are not available in the GUI and you must run these CLI commands to configure them: 
     config router bgp
   config neighbor-group
        edit "VPN1"
            set link-down-failover enable
            set additional-path both
            set adv-additional-path 4
        next
    end
end
Previous
Next