|
Manually defining BGP prefixes can lead to configuration errors and inconsistencies, especially in dynamic environments like SD-WAN or multi-tenant setups. By linking firewall address objects and groups to BGP, administrators can:
- Reuse firewall objects for routing, reducing configuration redundancy.
- Automatically propagate address object changes to BGP prefixes.
- Streamline management in large-scale or dynamic networks.
Prerequisites:
- FortiGate running FortiOS 7.6 or later.
- BGP configured with basic neighbor settings.
Configuration steps:
- Create a Firewall Address Object:
Define an address object and enable routing support.
config firewall address
edit "BGP-Net1"
set allow-routing enable
set subnet 192.168.10.0 255.255.255.0
next
end
Note: The allow-routing option must be enabled (disabled by default).
- (Optional) Create an Address Group:
Combine multiple address objects for scalable prefix advertisement.
config firewall addrgrp
edit "BGP-Group"
set allow-routing enable
set member "BGP-Net1" "BGP-Net2"
next
end
Ensure all member addresses have allow-routing enabled.
- Configure BGP to Use Address Objects/Groups.
Reference the address object or group in the BGP network configuration.
config router bgp
set as 65001
config network
edit 1
set prefix-name "BGP-Net1"
next
edit 2
set prefix-name "BGP-Group"
next
end
end
Use prefix-name to link to the address object or group.
Notes:
- Only ipmask and interface-subnet address types are supported.
- Address object changes propagate to BGP dynamically, but a BGP soft reset may be required for immediate effect.
|
