Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
mricardez
Staff
Staff

Created on ‎10-06-2025 09:22 AM Edited on ‎10-09-2025 08:49 AM By Moderator

Article Id 414055

Technical Tip: How to add a third BGP peer on FortiManager with SD-WAN provisioning templates

Description This article explains how to add another BGP peer out of the SD-WAN provisioning templates.
Scope FortiManager v7.4 and 7.6.
Solution

FortiManager v7.4 and FortiManager 7.6 use the SD-WAN Overlay Template wizard to create all the SD-WAN provisioning Templates for deployments of FortiGate HUB & Spoke topology network.

 

This article is focused on a network topology Single HUB, but can be used on the other topologies available.

 

In some network deployments there is requirement to have external BGP peers which are out of the FortiGate SD-WAN domain.

 

To implement it when an SD-WAN deployment via FortiManager already exists, use the SD-WAN Provisioning Templates as follows:

 

HUBSpoke_FMGAdditionalBGPPeer.drawio.png

 

After the SD-WAN Overlay Template wizard has been completed and is already installed, FortiManager will have two Template Groups: SDWAN_Fabric_HUB1 and SDWAN_Fabric_BRANCH. Each of them are associated the multiple Provisioning Templates (i.e. IPsec Tunnel Template, BGP Template, SD-WAN Template, Static Route Template, etc.)

 

In FortiManager 7.4, go to Device Manager -> Provisioning Templates -> Template Group.
In FortiManager 7.6, go to SD-WAN Manager -> Template Group.

 

The Template Groups are associated with the FortiGate in accordance with their roles: HUB or BRANCH.

 

Captura de pantalla 2025-10-01 140642.png

 

Because the SDWAN_Fabric_BRANCH is associated with two spokes, any change to the template will affect the other spokes, so another Template Group is needed.

 

  1. It is therefore possible to clone the Template Group SDWAN_Fabric_BRANCH and associate the Clone_SDWAN_Fabric_BRANCH with the spoke with the additional BGP peer, and the rest of the remaining spokes with the Template Group SDWAN_Fabric_BRANCH.

Captura de pantalla 2025-10-01 140915.png

 

  1. Clone the BGP Template SDWAN_Fabric_BRANCH_BGP in order to ensure that Clone_SDWAN_Fabric_BRANCH_BGP will have the additional BGP Peer.

 

Captura de pantalla 2025-10-01 141635_2.png

 

  1. Associate the BGP Template Clone_SDWAN_Fabric_BRANCH_BGP with the Template Group Clone_SDWAN_Fabric_BRANCH_BGP and Install Device Settings to the FortiGate BRANCH.

 

Captura de pantalla 2025-10-01 141939.png

 

  1. Instead of adding the BGP peer to the BGP Template, it is also possible to use a CLI Script.

  2. Repeat step 1.

  3. Create a CLI Template Script which the new BGP Peer, i.e. SDWAN_Fabric_BRANCH_CLI_AdditionalBGP.

 

Captura de pantalla 2025-10-01 143729_2.png

 

  1. Clone the CLI Template Group SDWAN_Fabric_BRANCH_CLIGRP and add the CLI Template Script previously created in step 6.

Captura de pantalla 2025-10-01 144041.png

 

  1. Associate the Clone of SDWAN_Fabric_BRANCH_CLIGRP with the Template Group Clone_SDWAN_Fabric_BRANCH and Install Device Settings to the FortiGate BRANCH.

Captura de pantalla 2025-10-01 144514.png
Labels:
133
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.