FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Alex_Yap_FTNT
Purpose
Enterprise networks using BGP with multi-homed solution (connected to more than one ISP). Sometime, they might required to design the internet link with primary/backup setup where the lower speed/lower quality internet link should only be used when the primary link is failed.

Since both ISP is independent, the local preference might be lower on the desired/primary internet link and resulting the desired traffic flow through the lower speed/quality path.

Sometimes, even though there is higher local preference on Primary ISP router and lower on the secondary ISP router, some reverse traffic may hit the FortiGate via secondary ISP link.
As Local preference is a non-transitive attribute, routers in the Primary ISP exchange is only inside their own AS (AS65101 in the example) and cannot pass it to Secondary ISP’s AS (AS65201). Due to this, Secondary ISP is unaware of the Local Preference value set on the Primary AS.

In this case, BGP route selection can be influenced by using AS_PATH attribute with multiple copies of your own AS number (AS-path prepending). 

Diagram

Expectations, Requirements
  • BGP route selection on internet router for the return path/traffic can be influenced by using AS_PATH, which is transitive attribute.
  • BGP prefers the shortest AS path to reach the destination.
  • It is possible to manipulate the path used by the return traffic with AS_PATH prepending while advertising the Fortigate DMZ prefix 93.184.216.34/32 to the Secondary ISP rather than relying on the Local Preference configured at ISP end.
  • Even if Secondary ISP AS65201 has to reach DMZ prefix 93.184.216.34/32 behind the FortiGate, it will prefer the Primary ISP AS65101 as the next hop. It is because FortiGate advertises this prefix to Secondary ISP with longer AS_PATH comparing to the same prefix advertised by Primary ISP.
  • To manipulate the outgoing traffic from the FortiGate and prioritize Primary ISP connection over Secondary ISP, make sure to set higher Local preference or Weight for Primary ISP BGP peer, than the Secondary ISP peer.

Configuration
Interface Configuration with WAN1 (Primary ISP)  and WAN2 (Secondary ISP), DMZ is the prefix to be published out, which is simulated by a Loopback interface:
config system interface
    edit "port2"
        set vdom "root"
        set ip 202.1.1.1 255.255.255.240
        set allowaccess ping
        set type physical
        set alias "WAN1"
    next
    edit "port3"
        set vdom "root"
        set ip 202.2.2.1 255.255.255.240
        set allowaccess ping
        set type physical
        set alias "WAN2"
    next
    edit "DMZ"
        set vdom "root"
        set ip 93.184.216.34 255.255.255.255
        set allowaccess ping
        set type loopback
    next
end

Route-map to publish the AS-Path with pre-pending:
config router route-map
    edit "Secondary_ISP"
        config rule
            edit 1
                set set-aspath "65301 65301 65301"                        
            next
        end
    next
end

Route-map that sets higher local preference for prefixes received from Primary ISP:

config router route-map
    edit "Primary_ISP"
        config rule
            edit 1
                set set-local-preference 200
            next
        end
    next
end


The route-maps are applied to both BGP neighbors:
config router bgp
    set as 65301
        config neighbor
            edit "202.1.1.2"
                set remote-as 65101
                set route-map-in “Primary_ISP”
            next
            edit "202.2.2.2"
                set remote-as 65201
                set route-map-out "Secondary_ISP"
            next
        end
        config network
            edit 1
                set prefix 93.184.216.34 255.255.255.255
            next
        end
    set router-id 3.3.3.3
end

Verification
The following output show on Secondary ISP router before the pre-pending technique is applied, the best path to reach 93.184.216.34/32 is via 202.2.2.1:
ISP2-R1 # get router info bgp network
BGP table version is 8, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight RouteTag Path
*> 93.184.216.34/32 202.2.2.1                0             0        0 65301 i
* i                 10.1.1.1                 0    100      0        0 65101 65301 i
*> 202.2.2.0/28     0.0.0.0                       100  32768        0 i

The following output show on Secondary ISP router after the pre-pending technique was applied, the best path to reach 93.184.216.34/32 is via 101.1.1.1 now:
ISP2-R1 # get router info bgp network
BGP table version is 10, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight RouteTag Path
*>i93.184.216.34/32 10.1.1.1                 0    100      0        0 65101 65301 i
*                   202.2.2.1                0             0        0 65301 65301 65301 65301 i
*> 202.2.2.0/28     0.0.0.0                       100  32768        0 i



Troubleshooting



Related Articles

Technical Note: Configuring BGP on a FortiGate with single-homed eBGP peering, iBGP peering, access-...

Technical Note : BGP dual-home example - solution to avoid RPF problem in asymetric routing scenario

Contributors