Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
akushwaha
Staff
Staff

Created on ‎06-25-2025 01:20 AM Edited on ‎08-12-2025 09:23 AM By Staff & Editor

Article Id 397923

Troubleshooting Tip: Configuring priority for BGP default routes to establish a primary (preferred) and backup path

Description This article describes the situations where, because of Reverse Path Forwarding (RPF) considerations, the FortiGate requires two default BGP routes across two external interfaces. The setup must satisfy these requirements: incoming traffic is permitted on both interfaces (port1 and port2), while outgoing traffic should prefer port1 exclusively, making ECMP unnecessary.
Scope FortiGate.
Solution

In the below setup, eBGP is configured between FortiGate and the two ISPs:

 

EBGP.png

 

FortiGate is getting a default route from both ISPs through BGP with the same AD value(20) and Priority (1):

BGP1.png

 

The recommended approach is to configure different priorities for both the default routes. The route with the lowest priority value will serve as the best and primary route.


With the below configuration, it can be achieved:


Configure prefix list:


config router prefix-list
    edit "Default-Route"
        config rule
            edit 1

                set prefix 0.0.0.0 0.0.0.0

            next

        end

    next

end

 

Configure two Route-maps for both ISPs and set priority :

 

config router route-map

    edit "ISP-1"

        config rule

            edit 1

               set match-ip-address "Default-Route"

               set set-priority 100     --> Route Priority for ISP-1.

            next

        end

    next

end

config router route-map

   edit "ISP-2"

        config rule

            edit 1

                set match-ip-address "Default-Route"

                set set-priority 200  --> Route Priority for ISP-2.

            next

        end

    next

end

 

Apply the route-map to each BGP neighbor:

 

config router bgp

    config neighbor

        edit "10.5.139.114"

            set route-map-in "ISP-1"

        next

        edit "10.5.209.34"

            set route-map-in "ISP-2"

        next

    end

end

In most environments, when setting priority in a BGP route-map, the 'recursive-inherit-priority' setting should also be disabled in the router bgp configuration. This ensures the intended priority assigned in the route-map is not overwritten by the priority of a route used to resolve the next-hop to an egress interface.

 

config router bgp

    set recursive-inherit-priority disable

end

 

Note: After applying the route-maps, perform a soft reset for BGP neighbors. See the article Technical Tip: BGP soft reset to refresh BGP routing table.

 

Run one of the following commands to soft reset the incoming routes:

 

execute router clear bgp ip A.B.C.D soft in
execute router clear bgp ip A.B.C.D in

 

Here, A.B.C.D will be the neighbor's IP address.

 

Now the route will be installed with different priority values:

BGP2.png

 

Note: If routes are not visible, the following BGP debugs can be performed for troubleshooting:

 

diagnose ip router bgp all enable

diagnose ip router bgp level info

diagnose debug enable

 

To stop it:

 

diagnose debug reset

 

754
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.