Description

This article describes how the 'set interface' and 'set update-source' BGP commands operate on a FortiGate device.

Scope

FortiGate.

Solution

Using set interface <interface_name>:

config router bgp

set as 65412

set router-id 1.1.1.1

config neighbor

edit "172.16.2.2"

set interface "port2" <-----------

set remote-as 65412

next

end

diagnose sniffer packet any " port 179 " 4
Using Original Sniffing Mode
interfaces=[any]
filters=[ port 179 ]
^C
0 packets received by filter
0 packets dropped by kernel

When 'set interface' is configured under BGP neighbor, it makes the BGP process in a listening state for all incoming BGP port 179 connections. FortiGate will act as a 'passive' BGP peer. It does not initiate or start the BGP peering itself - it waits for incoming BGP connections. If the BGP peering goes down for any reason, the neighbourship will stay inactive or idle until the remote BGP peer initiates the session.

Using set update-source <interface_name>:

config router bgp

set as 65412

set router-id 1.1.1.1

config neighbor

edit "172.16.2.2"

set remote-as 65412

set update-source "port2" <-----------

next

end

diagnose sniffer packet any " port 179 " 4
Using Original Sniffing Mode
interfaces=[any]
filters=[ port 179 ]
0.788186 port2 out 172.16.2.1.8879 -> 172.16.2.2.179: syn 2353844132
2.868132 port2 out 172.16.2.1.8879 -> 172.16.2.2.179: syn 2353844132

When 'set update-source' is configured under BGP neighbor, FortiGate can initiate the BGP peering itself through that interface or the incoming BGP connection can be accepted. FortiGate will behave as an 'active' BGP peer.

Note: 

In case of ADVPN tunnel using BGP route failover if set update-source is configured if the update-source tunnel Interface is down BGP neighbor connection will not be established as FortiGate will initiate the BGP peering itself using that interface.