BGP configuration
FortiSASE security points of presence (PoP) connect to the hub FortiGate and establish iBGP peering. FortiSASE security PoPs learn routes to your network but do not advertise any route except their router-id IP address.
The hub FortiGate requires the following BGP settings:
- AS number
- Router ID
- Using iBGP for dynamic routing via overlays
- BGP neighbor IP address for each overlay
- BGP neighbor group configured on the hub to dynamically peer with FortiSASE security PoPs
-
For BGP per overlay, BGP peering is done via the IP addresses allocated to the VPN Tunnel interfaces via IKE mode configuration. In this configuration example, the IP address range is 192.168.10.1-192.168.10.252. Therefore, in the BGP settings, the neighbor range needs to be the same as the IKE mode configuration tunnel IP address assignment.
- One BGP session per overlay between the hub and each FortiSASE security PoP
|
The following settings are only examples. Do not consider them as recommended settings. |
To configure BGP using the GUI:
|
|
If you cannot view the Network > BGP tree menu, go to System > Feature Visibility and enable Advanced Routing in the Core Features column. |
- Go to Network > BGP. Confirm that the Local AS field is set to 65001.
- In the Router ID field, enter 10.1.0.254, which is the loopback interface IP address.
- Configure neighbor options:
- In Neighbor Groups, create a new neighbor group:
- Click Create New. The Add BGP Neighbor Group pane displays.
- In the Remote AS field, enter 65001.
- Set Interface to the VPN tunnel interface on the hub used to listen to spoke VPN connections. For example, you may select VPN1.
- Enable Activate IPv4.
- Disable Attribute unchanged.
- Select the following options:
- Route reflector client
- Next hop self
- Capability: graceful restart
- Capability: route refresh
- Click OK.
- Click Create New. The Add BGP Neighbor Group pane displays.
- Click Apply to perform a hard refresh of the browser.
- In Neighbor Ranges, create a new neighbor range:
- Click Create New. The Create Neighbor Range pane displays.
- In the Prefix field, enter 10.251.1.0/255.255.255.0, which is the VPN peers subnet assigned using mode config.
- From the Neighbor group dropdown list, select VPN1.
- In the Max neighbor number field, enter 0.
- Click OK.
- In Neighbor Groups, create a new neighbor group:
- In Networks, in the IP/Netmask field, enter 192.168.111.0 255.255.255.0.
- Enable Graceful Restart and configure the following options:
- In the Restart timer field, enter 120.
- In the Stale path timer field, enter 360.
- In the Update delay field, enter 120.
- Under Advanced Options, configure the following:
- In the Keepalive field, enter 60.
- Enable Holdtime and enter 180.
- Enable Background scan and enter 60.
- Under Best Path Selection, enable the following options:
- Client to client reflection
- EBGP multi path
- IBGP multi path
- Additional path
- Enforce first AS
- Fast external failover
- Log neighbor changes
- Network import check
- Ignore optional capability
- Click Apply.
- Configure the following CLI options. These options are not available in the GUI and you must run these CLI commands to configure them:
config router bgp config neighbor-group edit "VPN1" set link-down-failover enable set additional-path both set adv-additional-path 4 next end end
To configure BGP using the CLI:
config router bgp
set as 65001
set ibgp-multipath enable
set additional-path enable
set graceful-restart enable
set additional-path-select 4
config neighbor-group
edit "VPN1"
set capability-graceful-restart enable
set link-down-failover enable
set next-hop-self enable
set remote-as 65001
set additional-path both
set adv-additional-path 4
set route-reflector-client enable
next
end
config neighbor-range
edit 1
set prefix 10.251.1.0 255.255.255.0
set neighbor-group "VPN1"
next
end
end