Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ppatel
Staff & Editor
Staff & Editor

Created on ‎03-07-2021 08:49 AM Edited on ‎11-27-2025 03:04 AM By Community Manager

Article Id 193341

Technical Tip: Use BGP backdoor to prefer IGP over EBGP

Description

 

This article describes the use of BGP backdoor to prefer IGP over EBGP.

 

Scope

 

FortiGate.


Solution

 

The 'Backdoor Feature' is often used to increase the administrative distance of eBGP to 200 to make the IGP learned routes preferred. A backdoor network is treated as a local network, except that it is not advertised. This is configured by using the network backdoor BGP command.

 

Diagram:

 
  • As illustrated, EBGP is running between 'FGT-A' and 'FGT-C' as well as 'FGT-B' and 'FGT-C'.
  • As an example, consider an IGP protocol running between 'FGT-A' and 'FGT-B'. It can be OSPF, IS-IS, or RIP protocol.
  • EBGP has a distance of 20, which is less than the IGP distances. The IGP protocol default distances are:
 
Stephen_G_0-1753287666893.png
 
  • 'FGT-A' will learn the 172.16.20.0/24 via 'FGT-C' EBGP (distance-20) and with IGP from FGT-B with a distance greater than 20. Hence, 'FGT-A' will install the route via 'FGT-C' EBGP as it has a lower distance.
  • However, the user wants the 'FGT-A' to prefer the 172.16.20.0/24 route via IGP from 'FGT-B'.
  • If the user wants 'FGT-A' to prefer the 172.16.20.0/24 route via IGP RIP from 'FGT-B', use BGP backdoor.
  • Assume the IGP RIP protocol is running between 'FGT-A' and 'FGT-B'.
  • Configure 'set backdoor enable' for network 172.16.20.0/24 under the 'FGT-A' BGP network configuration, as the user wants to prefer this network via IGP.
  • Due to the BGP backdoor being enabled, 'FGT-A' will learn the 172.16.20.0/24 route from 'FGT-B' via RIP with distance 120.

FGT-B Configuration:

config router rip
    config network
        edit 1
            set prefix 172.16.20.0 255.255.255.0
        next
    end
 
FGT-A Configuration:

config router rip
    config network
        edit 1
            set prefix 172.16.10.0 255.255.255.0
        next
    end
    config router bgp
        set as 10
            config neighbor
                edit "10.10.10.30"
                    set ebgp-enforce-multihop enable
                    set remote-as 30
                    set update-source "loopback"
                next
            end
            config network
                edit 1
                    set prefix 172.16.20.0 255.255.255.0
                    set backdoor enable
                next
            end
 

By enabling the FortiGate backdoor feature and setting the administrative distance (AD) of the backdoor route to 200, the RIP route, with an AD of 120, becomes preferred over the BGP route. As a result, the routing table will select the OSPF path to reach the destination network.

 

B 172.16.20.0/24 [200/0] via ...
O *> 172.16.20.0/24 [110/101] via ...


In this case, the RIP route is selected because its administrative distance (120) is lower than the backdoor BGP route (200).

3255
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.