Fortinet black logo

AWS Administration Guide

Configuring BGP

Copy Link
Copy Doc ID e129c4eb-867b-11eb-9995-00505692583a:584457
Download PDF

Configuring BGP

To configure BGP:
  1. Configure the GRE interface in the FortiOS CLI on both FortiGates. Configuring a GRE tunnel interface enables you to form a GRE tunnel between the FortiGate and the TGW to exchange BGP routes:

    config system gre-tunnel

    edit "tgwc"

    set interface "port2"

    set remote-gw <TGW GRE address>

    set local-gw <FortiGate port2 IP address>

    next

    end

    You can find the TGW GRE address on the VPC Dashboard in Transit Gateways > Transit Gateway Attachments in the AWS management console. Select the Transit Gateway Connect attachment, then the Connect peers tab. The remote gateway IP address is unique for each connect peer. The following shows commands for the first FortiGate in the example scenario:

    config system gre-tunnel

    edit "tgwc"

    set interface "port2"

    set remote-gw 10.100.0.32

    set local-gw 10.90.208.174

    next

    end

    The following shows commands for the second FortiGate in the example scenario:c

    config system gre-tunnel

    edit "tgwc"

    set interface "port2"

    set remote-gw 10.100.0.236

    set local-gw 10.90.46.172

    next

    end

  2. Configure the tunnel interface IP address:

    1. Go to Network > Interfaces in FortiOS.

    2. Select the newly created GRE interface, then select Edit.

    3. In the IP field, enter the peer BGP address. You can find this value on the AWS management console in VPC Dashboard > Transit Gateways > Transit Gateway Attachments, selecting the Security VPC Connect attachment, and going to the Connect peers tab.
    4. In the Remote IP field, enter the TGW BGP 1 address. The mask is /29. You can find this value on the AWS management console in VPC Dashboard > Transit Gateways > Transit Gateways, selecting the Security VPC Connect attachment, and going to the Connect peers tab.
  3. Configure BGP neighbors on both FortiGates. You can find this value on the AWS management console in VPC Dashboard > Transit Gateways > Transit Gateway Attachments, selecting the TGW Connect attachment, and going to the Connect peers tab.

    config router bgp

    set as 7115

    config neighbor

    edit "<TGW BGP 1 address>"

    set capability-default-originate enable

    set ebgp-enforce-multihop enable

    set soft-reconfiguration enable

    set remote-as 64512

    next

    edit "<TGWP BGP 2 address>"

    set capability-default-originate enable

    set ebgp-enforce-multihop enable

    set soft-reconfiguration enable

    set remote-as 64512

    next

    end

    config network

    edit 1

    set prefix 10.90.32.0 255.255.240.0

    next

    end

    config redistribute "connected"

    end

    config redistribute "rip"

    end

    config redistribute "ospf"

    end

    config redistribute "static"

    end

    config redistribute "isis"

    end

  4. Configure static routes on each FortiGate to forward packets to the TGW subnet.

  5. Configure the desired firewall rules on each FortiGate.

Configuring BGP

To configure BGP:
  1. Configure the GRE interface in the FortiOS CLI on both FortiGates. Configuring a GRE tunnel interface enables you to form a GRE tunnel between the FortiGate and the TGW to exchange BGP routes:

    config system gre-tunnel

    edit "tgwc"

    set interface "port2"

    set remote-gw <TGW GRE address>

    set local-gw <FortiGate port2 IP address>

    next

    end

    You can find the TGW GRE address on the VPC Dashboard in Transit Gateways > Transit Gateway Attachments in the AWS management console. Select the Transit Gateway Connect attachment, then the Connect peers tab. The remote gateway IP address is unique for each connect peer. The following shows commands for the first FortiGate in the example scenario:

    config system gre-tunnel

    edit "tgwc"

    set interface "port2"

    set remote-gw 10.100.0.32

    set local-gw 10.90.208.174

    next

    end

    The following shows commands for the second FortiGate in the example scenario:c

    config system gre-tunnel

    edit "tgwc"

    set interface "port2"

    set remote-gw 10.100.0.236

    set local-gw 10.90.46.172

    next

    end

  2. Configure the tunnel interface IP address:

    1. Go to Network > Interfaces in FortiOS.

    2. Select the newly created GRE interface, then select Edit.

    3. In the IP field, enter the peer BGP address. You can find this value on the AWS management console in VPC Dashboard > Transit Gateways > Transit Gateway Attachments, selecting the Security VPC Connect attachment, and going to the Connect peers tab.
    4. In the Remote IP field, enter the TGW BGP 1 address. The mask is /29. You can find this value on the AWS management console in VPC Dashboard > Transit Gateways > Transit Gateways, selecting the Security VPC Connect attachment, and going to the Connect peers tab.
  3. Configure BGP neighbors on both FortiGates. You can find this value on the AWS management console in VPC Dashboard > Transit Gateways > Transit Gateway Attachments, selecting the TGW Connect attachment, and going to the Connect peers tab.

    config router bgp

    set as 7115

    config neighbor

    edit "<TGW BGP 1 address>"

    set capability-default-originate enable

    set ebgp-enforce-multihop enable

    set soft-reconfiguration enable

    set remote-as 64512

    next

    edit "<TGWP BGP 2 address>"

    set capability-default-originate enable

    set ebgp-enforce-multihop enable

    set soft-reconfiguration enable

    set remote-as 64512

    next

    end

    config network

    edit 1

    set prefix 10.90.32.0 255.255.240.0

    next

    end

    config redistribute "connected"

    end

    config redistribute "rip"

    end

    config redistribute "ospf"

    end

    config redistribute "static"

    end

    config redistribute "isis"

    end

  4. Configure static routes on each FortiGate to forward packets to the TGW subnet.

  5. Configure the desired firewall rules on each FortiGate.