Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

BGP Question



So we are getting two internet connections (Primary/Secondary) from a Single Service Provider. SP provides a single Public ASN.

He provides two sets of /30 addresses for the two interfaces and a single /29 LAN Subnet.


Need to terminate the two links directly on the Fortinet Firewall and configure BGP with the same public ASN number for both the links. How can I do this. ?


Thanks a ton. Will be a lot of help if someone throws light.

Valued Contributor

It is actually quite simple of a setup, even if you didn't configure BGP before:


  1. Set up Fortigate (FGT) WAN interfaces with relevant /30 IPs and verify the links and IPs work fine - pinging point-to-point, loading line with laptop if it is a new line.
  2. Configure BGP on the FGT

Regarding BGP - as this is a small (/29) pool, it means you are getting Provider Assigned (PA) IPs, not your own AS numbered, so you will have to set on your side Private AS, say 65001. Also, you should ask your provider whether you need to add AS Path prepends for the /29 you advertise via Backup line or they will do this backup/main line manipulation on their side. If they say you should advertise /29 with prepends over the Backup line, this will add route-map config on your FGT. If not - it is the most basic set up at all.


E.g. let's say Main Line IP is and is set on port1 in FGT,  and Backup line is on the port2 in FGT, AS number of your ISP is AS 1680, and you advertise which is configured as directly connected on the FGT, then :


Interface config:


config sys int

edit port1

set ip


edit port2

set ip





1. Route-map to add prepends

config router route-map
    edit "prepend-out"
        config rule
            edit 1
                set set-aspath "65001 65001"

2. BGP neighboring


config router bgp
    set as 65001
    config neighbor
        edit ""
            set remote-as 1680
            set weight 10
        edit ""
            set remote-as 1680
            set route-map-out "prepend-out"
    config redistribute "connected"
        set status enable


That is it.


N.B. Example is taken verbatim from my blog post, there are more case scenarios there 











Yuri blog: All things Fortinet, no ads.

All opinions are mine only.