Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ppatel
Staff & Editor
Staff & Editor

Created on ‎03-07-2021 08:49 AM Edited on ‎07-23-2025 09:22 AM By Moderator

Article Id 193341

Technical Tip: Use BGP backdoor to prefer IGP over EBGP

Description

 

This article describes the use of BGP backdoor to prefer IGP over EBGP.

 

Scope

 

FortiGate.


Solution

 

Diagram:

 
  • As illustrated, EBGP is running between 'FGT-A' and 'FGT-C' as well as 'FGT-B' and 'FGT-C'.
  • As an example, consider an IGP protocol running between 'FGT-A' and 'FGT-B'. It can be OSPF, IS-IS or RIP protocol.
  • EBGP has distance of 20, which is less than the IGP distances. The IGP protocol default distances are:
 
Stephen_G_0-1753287666893.png
 
  • 'FGT-A' will learn the 172.16.20.0/24 via 'FGT-C' EBGP (distance-20) and with IGP from FGT-B with a distance greater than 20. Hence, 'FGT-A' will install the route via 'FGT-C' EBGP as it has lower distance.
  • However, the user wants the 'FGT-A' to prefer 172.16.20.0/24 route via IGP from 'FGT-B'.
  • If the user wants 'FGT-A' to prefer 172.16.20.0/24 route via IGP RIP from 'FGT-B', use BGP backdoor.
  • Assume IGP RIP protocol is running between 'FGT-A' and 'FGT-B'.
  • Configure 'set backdoor enable' for network 172.16.20.0/24 under the 'FGT-A' BGP network configuration as the user wants to prefer this network via IGP.
  • Due to BGP backdoor enabled, 'FGT-A' will learn the 172.16.20.0/24 route from 'FGT-B' via RIP with distance 120.

FGT-B Configuration:

config router rip
    config network
        edit 1
            set prefix 172.16.20.0 255.255.255.0
        next
    end
 
FGT-A Configuration:

config router rip
    config network
        edit 1
            set prefix 172.16.10.0 255.255.255.0
        next
    end
config router bgp
    set as 10
        config neighbor
            edit "10.10.10.30"
                set ebgp-enforce-multihop enable
                set remote-as 30
                set update-source "loopback"
            next
        end
        config network
            edit 1
                set prefix 172.16.20.0 255.255.255.0
                set backdoor enable
            next
        end
 

By enabling the FortiGate backdoor feature and setting the administrative distance (AD) of the backdoor route to 200, the RIP route—with an AD of 120—becomes preferred over the BGP route. As a result, the routing table will select the OSPF path to reach the destination network.

 

B 172.16.20.0/24 [200/0] via ...
O *> 172.16.20.0/24 [110/101] via ...


In this case, the RIP route is selected because its administrative distance (120) is lower than the backdoor BGP route (200).

2996
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.