Border Gateway Protocol (BGP)

To configure additional BGP options – CLI

config router bgp

set bestpath-med-missing-as-worst enable set fast-external-failover enable

set graceful-restart enable set graceful-restart-time 120 set graceful-stalepath-time 180 set graceful-update-delay 180 set holdtime-timer 120

set keepalive-timer 45

set log-neighbor-changes enable config neighbor

edit 172.21.111.4

set connect-timer 60 set description “ISP1” set holdtime-timer 120 set keepalive-timer 45 set weight 250

next

edit 172.22.222.4

set connect-timer 60 set description “ISP2” set holdtime-timer 120 set keepalive-timer 45 set weight 100

next end

end

 

Configuring other networking devices

There are two other networking devices that need to be configured: both ISPs’ BGP routers.

The ISPs’ routers must add the FortiGate unit as a neighbor so route updates can be sent in both directions. Note that ISP1 is not directly connected to ISP2 that we are aware of.

Inform both of your ISPs of your FortiGate unit’s BGP information. Once they have configured their router, you can test your BGP connection to the Internet.

They will require your FortiGate unit’s:

  • IP address of the connected interface
  • The router ID
  • Your Company’s AS number

Testing this configuration

With the dual-homed BGP configuration in place, you should be able to send and receive traffic, send and receive routes, and not have any routing loops. Testing the networks will confirm things are working as expected.

In general for routing you need to look at the routing table on different routers to see what routes are being installed. You also need to sniff packets to see how traffic is being routed in real time. These two sources of information will normally tell you what you need to know.

Testing of this example’s network configuration should be completed in two parts:

  • Testing network connectivity
  • Verifying the FortiGate unit’s routing tables
  • Verifying traffic routing
  • Verifying the dual-homed side of the configuration

Testing network connectivity

A common first step in testing a new network topology is to test if you can reach the Internet and other locations as you expect you should. If not, you may be prevented be cabling issues, software or other issues.

The easiest way to test connections is to use ping, once you ensure that all the FortiGate unit’s interfaces and ISP routers have ping support enabled. Also ensure that the security policies allow ping through the firewall.

Connections to test in this example are the internal network to ISP1’s router or the Internet, and the same for ISP2. If you can connect on the external side of the Fortinet unit, try to ping the internal network. Those three tests should prove your basic network connections are working.

Once you have completed testing the network connectivity, turn off ping support on the external interfaces for additional security.

 

Verifying the FortiGate unit’s routing tables

The FortiGate routing table contains the routes stored for future use. If you are expecting certain routes to be there and they are not, that is a good indicator that your configuration is not what you expected.

The CLI command get router info routing-table details will provide you with every route’s routing protocol, destination address, gateway address, interface, weighting, and if the address is directly connected or not.

If you want to limit the display to BGP routes only, use the CLI command get router info routing- table bgp. If there are no BGP routes in the routing table, nothing will be displayed. In the CLI command you can replace BGP with static, or other routing protocols to only display those routes.

If you want to see the contents of the routing information database (RIB), use the CLI command get router info routing-table database. This will display the incoming routes that may or may not make it into the routing table.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

6 thoughts on “Border Gateway Protocol (BGP)

  1. piccolo

    Hi Mike,
    if i configure the following on fortigate1:
    config router bgp
    set as 65000
    set router-id 10.2.2.254
    config neighbor
    edit “10.2.2.253”
    set next-hop-self enable
    set remote-as 65000
    set send-community6 disable
    next

    config redistribute “static”
    set status enable
    end

    fortigate2 should get the default route 0.0.0.0 0.0.0.0 from fortigate1 as it is static ?

    how can i redistribute the default route(fortigate1) to fortigate2 ?

    thanks
    regards

    Reply
    1. Mike Post author

      There is a really good KB article that explains how to do this. You can find it here

      If you want to redistribute static routes you would enable the following

      config router bgp
      config redistribute static
      set status enable
      end
      end

      An example of the config would be like this

      config router prefix-list
      edit “only_dflt”
      config rule
      edit 1
      set prefix 0.0.0.0 0.0.0.0
      unset ge
      unset le
      next
      end
      next
      end

      config router route-map
      edit “only_default_route”
      config rule
      edit 1
      set match-ip-address “only_dflt”
      next
      end
      next
      end

      config router bgp
      set as 2
      config neighbor
      edit 10.142.0.110
      set remote-as 1
      set route-map-in “only_default_route”
      next
      end

      set router-id 10.142.0.205
      end

      Let me know if this helped answer your question!

      Thanks!

      Reply
  2. kamal

    config router bgp
    set as 65041
    set router-id 162.53.156.138
    config neighbor
    edit “10.104.55.1”
    set ebgp-enforce-multihop enable
    set soft-reconfiguration enable
    set remote-as 64699
    set send-community6 disable
    next
    edit “10.104.55.2”
    set ebgp-enforce-multihop enable
    set soft-reconfiguration enable
    set remote-as 64699
    set send-community6 disable
    next

    i am trying to accomplish above but i can see only one neighbour is establish and other is in ACTIVE state…

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.