FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
stroia
Staff
Staff
Article Id 371806
Description

This article describes how to choose the SD-WAN member to steer the BGP traffic from an SD-WAN Spoke to the Hub.

Scope FortiGate.
Solution

When using a Fortinet SD-WAN Hub and Spokes deployment with BGP on loopback and over SD-WAN members (as explained there: BGP on loopback), is not possible to influence BGP traffic (traffic on port 179) with an SD-WAN rule, as the traffic is considered local traffic from the FortiGate.

 

To choose which SD-WAN member to send the BGP traffic to:

  • Disable the add-route option under the IPsec phase 1 configuration. For more info regarding the option, see this document: Dynamic IPsec route control.
  • Manually configure a static route for each SD-WAN member for which the Hub loopback must be reachable when establishing BGP neighborship. Configure the lowest priority or the lowest Administrative Distance for the route with the SD-WAN member preferred for BGP traffic, increment the priority or the Administrative Distance for the route pointing to the second member preferred, and so on. See this document: Adding a static route for more info regarding static route configuration.

 

Note that:

  • To change the default administrative distance of static routes (10 is the default value), pay attention to the routing table interactions with routes eventually added from other routing protocols.
  • The configuration change described affects BGP traffic only from the Spoke to Hub, not the response of the Hub.
  • Routes advertised from HUB to Spoke are also affected due to the next hop preference (in this scenario, the BGP next hop is the Hub loopback, which is influenced by the suggested configuration changes).