Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mle2802
Staff
Staff

Created on ‎12-04-2023 11:04 PM Edited on ‎11-27-2024 10:17 PM By Moderator

Article Id 287684

Technical Tip: BGP with AWS transit gateway

Description

This article describes the solution for BGP dropped on the AWS transit gateway.
Scope

FortiGate and AWS transit gateway.
Solution

When configuring BGP with AWS transit gateway, it is required that the routes originate from an eBGP peer and should have next-hop-self configured. Otherwise, the routes will be dropped on AWS.

To achieve this, enable  'next-hop-self' on the FortiGate.

Run the following commands on FortiGate:


config router bgp

    config neighbor

     edit <neighbor>

         set next-hop-self enable

     next

 end


If redistributing routes via route-reflector, the following change should be made:

 

config router bgp

    config neighbor

     edit <neighbor>

        set route-reflector-client enable

        set next-hop-self-rr enable

     next

 end


After that, the route is advertising correctly on the AWS side.

 

Related documents:
AWS document 
Technical Tip: How to modify BGP next hop for route reflector peering 
1984
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.