Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
shahrukh_khan
Staff
Staff

Created on ‎12-16-2025 04:11 AM

Article Id 423312

Technical Tip: BGP MED's Impact on SD-WAN

Description This article describes Mapping Member Priorities to MED in Hub-and-Spoke Topologies.
Scope FortiOS Version: 7.6.1 and later.
Solution

In FortiGate SD-WAN deployments, integrating Border Gateway Protocol (BGP) allows dynamic route advertisement and intelligent traffic steering. The MED attribute (lower value preferred) influences inbound traffic from external eBGP peers. By embedding SD-WAN health and priority information into MED, external routers can automatically prefer the optimal hub for reaching spoke prefixes, enabling self-healing inbound path selection without manual intervention or additional health checks on external devices.

 

Benefits:

  • Inbound Load Balancing and Failover: External traffic dynamically shifts to the hub with the best SD-WAN path.
  • Self-Healing: SLA failures on spoke-to-hub links increase MED, demoting that path.
  • Scalability: Simplifies large-scale ADVPN/SD-WAN overlays with multiple hubs.

 

Topology Example:

  • One Spoke (e.g., Branch FortiGate, LAN: 10.0.3.0/24, Loopback: 10.1.1.1).
  • Two Hubs (Hub-1: 10.1.1.2, Hub-2: 10.1.1.3).
  • Four Overlays from Spoke:
    • To Hub-1: H1_T11 (primary, priority-in-sla 50), H1_T22 (backup, priority-in-sla 70).
    • To Hub-2: H2_T11 (priority-in-sla 60), H2_T22 (priority-in-sla 80).
  • Health Check: Probes to a server (e.g., 10.1.1.100) with a latency threshold of ≤100 ms.
  • External eBGP Peer: Connected to both hubs, receiving spoke routes with varying MED.

 

Configuration Steps:
On Hubs: Enable Recursive Priority Inheritance.

 

This ensures hubs properly inherit and propagate SD-WAN priorities in BGP routes.

 

config router bgp
    set recursive-inherit-priority enable
end

 

On Spoke: Configure SD-WAN with Priorities and Health Check.

 

config system sdwan
    set status enable
        config zone
            edit "overlay"
            next
        end
        config members
            edit 4
                set interface "H1_T11"
                set zone "overlay"
                set source 10.1.1.1
                set priority-in-sla 50
                set priority-out-sla 100
            next
            edit 5
                set interface "H1_T22"
                set zone "overlay"
                set source 10.1.1.1
                set priority-in-sla 70
                set priority-out-sla 120
            next
            edit 7
                set interface "H2_T11"
                set zone "overlay"
                set source 10.1.1.1
                set priority-in-sla 60
                set priority-out-sla 110
            next
            edit 8
                set interface "H2_T22"
                set zone "overlay"
                set source 10.1.1.1
                set priority-in-sla 80
                set priority-out-sla 130
            next
        end
        config health-check
            edit "HUB"
                set server "10.1.1.100"
                set embed-measured-health enable
                set sla-id-redistribute 1
                set sla-fail-log-period 10
                set sla-pass-log-period 10
                set members 4 5 7 8
                    config sla
                        edit 1
                            set link-cost-factor latency
                            set latency-threshold 100
                        next
                    end
             next
         end

         config neighbor
             edit "10.1.1.2" # Hub-1
                 set member 4 5
                 set route-metric priority
                 set health-check "HUB"
             next
             edit "10.1.1.3" # Hub-2
                 set member 7 8
                 set route-metric priority
                 set health-check "HUB"
             next
         end
end

 

On Spoke: Advertise LAN Prefix via BGP.

 

config router bgp
    set as 65001 # Example spoke AS
    set router-id 10.1.1.1
        config neighbor
            edit "10.1.1.2"
                set remote-as 65000 # Hub AS (iBGP)
                set update-source "overlay"
            next
            edit "10.1.1.3"
                set remote-as 65000
            next
        end
        config network
            edit 1
                set prefix 10.0.3.0 255.255.255.0
            next
        end
end

 

Verification Commands:

  • SD-WAN Health: diagnose sys sdwan health-check.
  • BGP Advertised Routes (on Hub): get router info bgp neighbors <external-peer> advertised-routes.
  • BGP Summary: get router info bgp summary.
  • SD-WAN Members: get system sdwan members.
120
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.