Fortinet black logo

SPA with a FortiGate SD-WAN Deployment Guide

Home FortiSASE SPA with a FortiGate SD-WAN Deployment Guide

BGP configuration

Copy Link
Copy Doc ID 8c54df13-c519-11ee-8c42-fa163e15d75b:568255
Download PDF

BGP configuration

FortiSASE security points of presence (PoP) connect to the hub FortiGate and establish iBGP peering. FortiSASE security PoPs learn routes to your network but do not advertise any route except their router-id IP address.

The hub FortiGate requires the following BGP settings:

  • AS number
  • Router ID
  • Using iBGP for dynamic routing via overlays
  • BGP neighbor IP address for each overlay
  • BGP neighbor group configured on the hub to dynamically peer with FortiSASE security PoPs
  • For BGP per overlay, BGP peering is done via the IP addresses allocated to the VPN Tunnel interfaces via IKE mode configuration. In this configuration example, the IP address range is 192.168.10.1-192.168.10.252. Therefore, in the BGP settings, the neighbor range needs to be the same as the IKE mode configuration tunnel IP address assignment.
  • One BGP session per overlay between the hub and each FortiSASE security PoP
Note

The following settings are only examples. Do not consider them as recommended settings.

The following shows sample BGP CLI configuration:

config router bgp
    set as 64622
    set ebgp-multipath enable
    set ibgp-multipath enable
    set additional-path enable
    set graceful-restart enable
    set additional-path-select 4
   config neighbor-group
        edit "VPN1"
            set capability-graceful-restart enable
            set link-down-failover enable
            set next-hop-self enable
            set remote-as 64622
            set additional-path send
            set route-reflector-client enable
        next
    end
    config neighbor-range
        edit 1
            set prefix 192.168.10.0 255.255.255.0
            set neighbor-group "VPN1"
        next
    end
end
Previous
Next

BGP configuration

FortiSASE security points of presence (PoP) connect to the hub FortiGate and establish iBGP peering. FortiSASE security PoPs learn routes to your network but do not advertise any route except their router-id IP address.

The hub FortiGate requires the following BGP settings:

  • AS number
  • Router ID
  • Using iBGP for dynamic routing via overlays
  • BGP neighbor IP address for each overlay
  • BGP neighbor group configured on the hub to dynamically peer with FortiSASE security PoPs
  • For BGP per overlay, BGP peering is done via the IP addresses allocated to the VPN Tunnel interfaces via IKE mode configuration. In this configuration example, the IP address range is 192.168.10.1-192.168.10.252. Therefore, in the BGP settings, the neighbor range needs to be the same as the IKE mode configuration tunnel IP address assignment.
  • One BGP session per overlay between the hub and each FortiSASE security PoP
Note

The following settings are only examples. Do not consider them as recommended settings.

The following shows sample BGP CLI configuration:

config router bgp
    set as 64622
    set ebgp-multipath enable
    set ibgp-multipath enable
    set additional-path enable
    set graceful-restart enable
    set additional-path-select 4
   config neighbor-group
        edit "VPN1"
            set capability-graceful-restart enable
            set link-down-failover enable
            set next-hop-self enable
            set remote-as 64622
            set additional-path send
            set route-reflector-client enable
        next
    end
    config neighbor-range
        edit 1
            set prefix 192.168.10.0 255.255.255.0
            set neighbor-group "VPN1"
        next
    end
end
Previous
Next