Configuring BGP
To configure BGP:
- Configure the GRE interface in the FortiOS CLI on both FortiGates. Configuring a GRE tunnel interface enables you to form a GRE tunnel between the FortiGate and the TGW to exchange BGP routes:
config system gre-tunnel
edit "tgwc"
set interface "port2"
set remote-gw <TGW GRE address>
set local-gw <FortiGate port2 IP address>
next
end
You can find the TGW GRE address on the VPC Dashboard in Transit Gateways > Transit Gateway Attachments in the AWS management console. Select the Transit Gateway Connect attachment, then the Connect peers tab. The remote gateway IP address is unique for each connect peer. The following shows commands for the first FortiGate in the example scenario:
config system gre-tunnel
edit "tgwc"
set interface "port2"
set remote-gw 10.100.0.32
set local-gw 10.90.208.174
next
end
The following shows commands for the second FortiGate in the example scenario:c
config system gre-tunnel
edit "tgwc"
set interface "port2"
set remote-gw 10.100.0.236
set local-gw 10.90.46.172
next
end
-
Configure the tunnel interface IP address:
-
Go to Network > Interfaces in FortiOS.
-
Select the newly created GRE interface, then select Edit.
- In the IP field, enter the peer BGP address. You can find this value on the AWS management console in VPC Dashboard > Transit Gateways > Transit Gateway Attachments, selecting the Security VPC Connect attachment, and going to the Connect peers tab.
- In the Remote IP field, enter the TGW BGP 1 address. The mask is /29. You can find this value on the AWS management console in VPC Dashboard > Transit Gateways > Transit Gateways, selecting the Security VPC Connect attachment, and going to the Connect peers tab.
-
- Configure BGP neighbors on both FortiGates. You can find this value on the AWS management console in VPC Dashboard > Transit Gateways > Transit Gateway Attachments, selecting the TGW Connect attachment, and going to the Connect peers tab.
config router bgp
set as 7115
config neighbor
edit "<TGW BGP 1 address>"
set capability-default-originate enable
set ebgp-enforce-multihop enable
set soft-reconfiguration enable
set remote-as 64512
next
edit "<TGWP BGP 2 address>"
set capability-default-originate enable
set ebgp-enforce-multihop enable
set soft-reconfiguration enable
set remote-as 64512
next
end
config network
edit 1
set prefix 10.90.32.0 255.255.240.0
next
end
config redistribute "connected"
end
config redistribute "rip"
end
config redistribute "ospf"
end
config redistribute "static"
end
config redistribute "isis"
end
- Configure static routes on each FortiGate to forward packets to the TGW subnet.
-
Configure the desired firewall rules on each FortiGate.