First off, I am no BGP expert but I do have it setup and working fine advertising routes to our MPLS provider. The problem is that all the fortigates on our network show the distance of the learned BGP routes as 20, the default value from the documents i' ve found. I would like to be able to advertise the same network at two different sites but one having a higher distance (backup route). The only way i have been able to modify the BGP distance is by applying an access rule at one of the sites. The biggest problem is that this seems to only affect incoming1st off your thinking is right. You can' t modifiy the distance on an outgoing route. distance is internal and not a bgp well known_attribute 2nd what you need to look at is to set as_path_prepend or if internal to the same ISP provider, you set Metrics for the path that you want to prefer. 3rd, if your peering with 2 different providers, than you can' t 100% control how some one routes into you. I would suggest you review the FGT routing documentations.
PCNSE
NSE
StrongSwan
-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D
ddskier wrote:
You can make one BGP route look longer by using " Route-Maps" and weights. (e.g. Prepend the route.) See example below: (The XXX is your ASN number) config router route-map edit " xxx-routemap" config rule edit 1 set set-aspath " xxx xxx xxx xxx xxx" next end next config router bgp edit " 1.2.3.4" set remote-as <Vendor 1 Supplied ASN> set weight 200 next edit " 2.3.4.5" set remote-as <Vendor 2 Supplied ASN> set route-map-out " xxx-routemap" set weight 100 next end end
Does anyone know if this still the best way to influence one route over another for Outbound traffic? Thanks in advance.
[align=left]*auto-sig* rb400 << FGT (v6.2.x) [/align]
locl_pref , weights for traffic outbound ( from your perspective )
as_path pre-pending for traffic inbound ( from your perspective )
metrics for traffic inbound if you have 2 links to the same ISP ( it stays with in the ISP metrics are localize and non transit between ISPs )
Ken
PCNSE
NSE
StrongSwan
emnoc wrote:
locl_pref , weights for traffic outbound ( from your perspective )
as_path pre-pending for traffic inbound ( from your perspective )
metrics for traffic inbound if you have 2 links to the same ISP ( it stays with in the ISP metrics are localize and non transit between ISPs )
Ken
NOTE: It is extremely possible I do not understand locl_pref and pre-pending. Worse case, I am in the wrong discussion string.
Scenario: we are using BGP (outside connections) and VDOMs, our root vdom is as follows:
Interface#port23 (neighbor 33333) is a 200Mbps fiber connection
Interface#port24 (neighbor 44444) is a 100Mbps fiber connection
interface#port24 seems to be overloaded with inbound (our perspective) traffic, hence it drops packets.
interface#port23 has headroom for more traffic but is fat and happy.
See typical workweek bandwidth consumption in image listed below (link will expire in < 15 days or when question is answered):
https://drive.google.com/...VMWvJU5SkhjVWg0X1ZDUVE
I tried suggestions using weight and route-map-out without any success The weight settings seems not to have made any improvements. Route-map-out was applied to interface#port23 and it eliminated all INBOUND traffic. Hence I pulled the route-map-out setting from port#23. The image link listed below is a picture of the gap when route-map-out was set:
https://drive.google.com/open?id=0Bzn6iVMWvJU5ZFB2SjlwbTRSTk0
(editor's note for the gap-image: yes, the "added added" is wrong, one "added" is sufficient)
ALL IP numbers except the zeroes and all ASNs have been altered.
Based on my edited settings below it seems interface#port24 is the "default" route and interface#port23 is only routing 33.0.0.0/14 traffic (my loose interpretation from my static route type of knowledge)
config neighbor edit "23.23.23.121" set remote-as 33333 set send-community6 disable set weight 100 next edit "24.24.24.225" set remote-as 44444 set send-community6 disable set weight 200 next end
interface#PORT23# get router info bgp neighbors 23.23.23.121 advertise BGP table version is 13, local router ID is 111.222.196.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 33.0.0.0/14 23.23.23.122 0 33333 i *> 111.222.135.0 23.23.23.122 100 32768 i *> 111.222.195.0 23.23.23.122 100 32768 i *> 111.222.196.0 23.23.23.122 100 32768 i Total number of prefixes 4
interface#PORT24# get router info bgp neighbors 24.24.24.225 advertise BGP table version is 14, local router ID is 111.222.196.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 0.0.0.0/0 24.24.24.226 0 44444 i *> 111.222.135.0 24.24.24.226 100 32768 i *> 111.222.195.0 24.24.24.226 100 32768 i *> 111.222.196.0 24.24.24.226 100 32768 i Total number of prefixes 4
BEST way to push more traffic to interface#port23 to best utilize the 200Mbps pipe? The ISP (44444) attached to Interface#port24 is dropping packets when the bandwidth consumption reaches the 100Mbps.
[align=left]*auto-sig* rb400 << FGT (v6.2.x) [/align]
PCNSE
NSE
StrongSwan
ORIGINAL: emnoc I would caution the use of weights. Weights is not a known BGP attribute for path selection outside of your ASN. AS_path pre-pend, traffic policy mangement via provider communities-sets, and metrics are the only options you have.I believe n this case the weight attribute is used by the firewall for which outbound route is preferred. Helps keep all outbound and inbound traffic using the same connection.
-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1741 | |
1109 | |
755 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.