Border Gateway Protocol (BGP)

To create a firewall services group – web-based manager

1. Go to Policy & Objects > Objects > Services, select the dropdown arrow next to Create New and select

Service Group.

2. For Group Name, enter “Basic_Services”.

3. From the Members dropdown, choose the following six services — BGP, FTP, FTP_GET, FTP_PUT, DNS, HTTP, and HTTPS.

4. Select OK.

 

To create a firewall services group – CLI

config firewall service group edit “Basic_Services”

set member “BGP” “DNS” “FTP” “FTP_GET” “FTP_PUT” “HTTP” “HTTPS” next

end

 

To create a zone for the ISP interfaces – web-based manager

1. Go to System > Network > Interfaces.

2. Select the caret to the right of Create New and then select Zone.

3. Enter the following information.

Zone Name                                 ISPs

Block Intra-zone traffic             enable

interface members                    port2 port3

4. Select OK.

 

To create a zone for the ISP interfaces – CLI

config system zone edit “ISPs”

set interface “port2” “port3” set intrazone block

next end

 

To add the firewall addresses – web-based manager

1. Go to Policy & Objects > Objects > Addresses.

2. Select Create New, and set the following information.

Category                                     Address

Name                                           Internal_network

Type                                            Subnet / IP Range

Subnet / IP Range                     10.11.101.0 255.255.255.0

Interface                                     port1

3. Select OK.

 

To add the firewall addresses – CLI

config firewall address edit “Internal_network”

set associated-interface “port1”

set subnet 10.11.101.0 255.255.255.0 next

end

 

To add the HTTP and DNS security policies – web-based manager

1. Go to Policy & Objects > Policy > IPv4, and select Create New.

2. Set the following information.

Incoming Interface                   port1(internal)

Source Address                        Internal_network

Outgoing Interface                   ISPs

Destination Address                 All

Schedule                                    Always

Service                                       Basic_services

Action                                         ACCEPT

Log Allowed Traffic                  Enable

Firewall / Network Options     Enable NAT

Comments                                  ISP1 basic services out policy

3. Select OK.

4. Select Create New, and set the following information.

Incoming Interface                   ISPs

Source Address                        All

Outgoing Interface                   port1(internal)

Destination Address                 Internal_network

Schedule                                    Always

Service                                       Basic_services

Action                                         ACCEPT

Log Allowed Traffic                  Enable

Firewall / Network Options     Enable NAT

Comments                                  ISP1 basic services in policy


Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To Buy Your Fortinet Hardware From The Fortinet GURU

6 thoughts on “Border Gateway Protocol (BGP)

  1. Hi Mike,
    if i configure the following on fortigate1:
    config router bgp
    set as 65000
    set router-id 10.2.2.254
    config neighbor
    edit “10.2.2.253”
    set next-hop-self enable
    set remote-as 65000
    set send-community6 disable
    next

    config redistribute “static”
    set status enable
    end

    fortigate2 should get the default route 0.0.0.0 0.0.0.0 from fortigate1 as it is static ?

    how can i redistribute the default route(fortigate1) to fortigate2 ?

    thanks
    regards

    • There is a really good KB article that explains how to do this. You can find it here

      If you want to redistribute static routes you would enable the following

      config router bgp
      config redistribute static
      set status enable
      end
      end

      An example of the config would be like this

      config router prefix-list
      edit “only_dflt”
      config rule
      edit 1
      set prefix 0.0.0.0 0.0.0.0
      unset ge
      unset le
      next
      end
      next
      end

      config router route-map
      edit “only_default_route”
      config rule
      edit 1
      set match-ip-address “only_dflt”
      next
      end
      next
      end

      config router bgp
      set as 2
      config neighbor
      edit 10.142.0.110
      set remote-as 1
      set route-map-in “only_default_route”
      next
      end

      set router-id 10.142.0.205
      end

      Let me know if this helped answer your question!

      Thanks!

  2. config router bgp
    set as 65041
    set router-id 162.53.156.138
    config neighbor
    edit “10.104.55.1”
    set ebgp-enforce-multihop enable
    set soft-reconfiguration enable
    set remote-as 64699
    set send-community6 disable
    next
    edit “10.104.55.2”
    set ebgp-enforce-multihop enable
    set soft-reconfiguration enable
    set remote-as 64699
    set send-community6 disable
    next

    i am trying to accomplish above but i can see only one neighbour is establish and other is in ACTIVE state…

Leave a Reply

Name *
Email *
Website

This site uses Akismet to reduce spam. Learn how your comment data is processed.