FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes the behavior of BGP SD-WAN route-tagging for the routes learned and tagged.
Unlike normal routing behavior, BGP SD-WAN route-tagging prefers the least specific routes which causes more specific routes to be less preferred.
Below is an example wherein the default route is installed by the SD-WAN rule ID 9 due to the said behavior. Notice that 10.56.56.0/24, 10.57.57.0/24, and 10.0.0.0/8 were not included even though these routes are tagged with the same route-tagging as that of the default route.
Note that the 10.0.0.0/8 route is used on SD-WAN rule ID 9. Routes to 10.56.56.0/24 and 10.57.57.0/24 were not installed.
In this example, I have enabled redistribute static route with a route-map and enable capability-default-originate from the Hub. Removing these settings will show the following behavior.
After the changes and BGP restart, the routes to 10.56.56.0/24 and 10.57.57.0/24 were installed properly.
For more information regarding BGP and SD-WAN route-tagging, check the article below.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.