FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 296149
Description This article describes how to configure BGP on Loopback with SD-WAN to achieve correct BGP failover over the secondary tunnel in case of failure.
Scope FortiGate v7.0+.

How to configure BGP on Loopback is not part of this article. For configuration information, visit the below article:

Technical Tip: ADVPN with BGP on loopback


BGP on Loopack is commonly used in ADVPN topology together with SD-WAN on spokes. To have a correct failover of BGP over an available tunnel, an SD-WAN health-check is used.


From Spoke's perspective important parts of the configuration.

Loopback used for BGP:


Spoke1 # show system interface Loopback
config system interface
    edit "Loopback"
        set vdom "root"
        set ip
        set allowaccess ping
        set type loopback
        set role lan
        set snmp-index 16


 Partial BGP configuration showing neighbor configuration:


Spoke1 # show router bgp
config router bgp
    set as 65500
    set router-id
    set ibgp-multipath enable
    set additional-path enable
    set recursive-next-hop enable
    set tag-resolve-mode merge
        config neighbor
            edit ""
                set soft-reconfiguration enable
                set interface "Loopback"
                set remote-as 65500
                set route-map-in "set-tag"
                set update-source "Loopback"
                set additional-path both


This device has 2 tunnels, both are members of SD-WAN. As this example used BGP on Loopback configuration, tunnels do not have their own IP address and because, here let's use SD-WAN health-checks to probe connection to HUB, it is necessary to specify source-ip address for health-check packets:


Spoke1 # show system sdwan
config system sdwan
    set status enable
        config zone
            edit "ADVPN_Z"

config members
    edit 1
        set interface "advpn"
        set zone "ADVPN_Z"
        set source
    edit 2
        set interface "advpn_b"
        set zone "ADVPN_Z"
        set source


Health-check configuration is simple. One rule should be followed, the IP address that is used for health-check should be different from the Loopback IP address used by HUB for BGP. In this example, HUB's Loopback IP address used by BGP is For the health-check purposes, it will be used different IP address:


Spoke1 #
config health-check
    edit "Hub_HC"
        set server ""
        set members 1 2


The reason for this is that the kernel route for the health-check IP will be created over members:


Spoke1 # get router info kernel | grep
tab=254 vf=0 scope=0 type=1 proto=18 prio=0> pref= gwy= dev=20(advpn)
tab=254 vf=0 scope=0 type=1 proto=18 prio=0> pref= gwy= dev=21(advpn_b)


If the health-check IP is the same as the Loopback IP address on HUB (in this case it would interfere with failover in case the current select egress tunnel would go down. The result would be delayed or non-working failover over the secondary tunnel.