BGP configuration
FortiSASE security points of presence (PoP) connect to the hub FortiGate and establish iBGP peering. FortiSASE security PoPs learn routes to your network but do not advertise any route except their router-id IP address.
The hub FortiGate requires the following BGP settings:
- AS number
- Router ID
- Using iBGP for dynamic routing via overlays
- BGP neighbor IP address for each overlay
- BGP neighbor group configured on the hub to dynamically peer with FortiSASE security PoPs
- For BGP per overlay, BGP peering is done via the IP addresses allocated to the VPN Tunnel interfaces via IKE mode configuration. In this configuration example, the IP address range is 192.168.10.1-192.168.10.252. Therefore, in the BGP settings, the neighbor range needs to be the same as the IKE mode configuration tunnel IP address assignment.
- One BGP session per overlay between the hub and each FortiSASE security PoP
The following settings are only examples. Do not consider them as recommended settings. |
The following shows sample BGP CLI configuration:
config router bgp set as 64622 set ebgp-multipath enable set ibgp-multipath enable set additional-path enable set graceful-restart enable set additional-path-select 4 config neighbor-group edit "VPN1" set capability-graceful-restart enable set link-down-failover enable set next-hop-self enable set remote-as 64622 set additional-path send set route-reflector-client enable next end config neighbor-range edit 1 set prefix 192.168.10.0 255.255.255.0 set neighbor-group "VPN1" next end end