Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: BGP Migration from static
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
BGP Migration from static
Hi,
Migrating from Static routing to BGP and adding a second MPLS and I've only used RIP.
So when the primary WWW & WAN were to fail we.d failover to Secondary WWW &WAN. We don't have control over the Primary and secondary routers, just our FortiGate,s and have been provided BGP details.
BGP Detail is below and I'm looking for guidance on getting this BGP info (also prepending) configured in our 300D (Active-passive) 6.2.5
WWW Vlan's are in SDWAN
Primary WAN/WWW
WAN Pri Vlan v820
Remote IP x.x.x.66/31
remote AS 420000053
Our IP x.x.x.67/31
Our AS 420000207
No Pre Pending
WWW Pri Vlan 810
Remote IP x.x.x.8/31
remote AS 420000051
Our IP x.x.x.9/31
Our AS 420000208
No Pre Pending
Secondary WAN/WWW
WAN Sec Vlan 821
Remote IP x.x.x.60/31
remote AS 420000053
Our IP x.x.x.61/31
Our AS 420000207
Prepend x2
WWW Sec Vlan 811
Remote IP x.x.x.2/31
remote AS 420000053
Our IP x.x.x.3/31
Our AS 420000208
Prepend x2
Thanks,
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
12 REPLIES 12
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We regularly don't use AS prepend so basically I would do what you need to do in case it's required: Internet Search! I found two KBs.
https://kb.fortinet.com/kb/documentLink.do?externalID=FD39448
https://kb.fortinet.com/kb/documentLink.do?externalID=FD31868
Both use 2bytes private ASN but your case is 4byte ones 42xxxxxxx. Just number difference so don't worry. You just need to get used to how to use route-maps and set up neighbors. The key requirement is you seems to be expected to append the same ASN on the secondary side at least two times (I would add three or more, which shouldn't hurt) when you advertise your local routes over the secondary.
For route receiving side, the second KB is using local preference to set higher preference on the primary side. We usually set local preference lower on the secondary side instead. Either way would work.
So you need to take care of those advertisement side and receiving side. One you got use to those, you would realize there are multiple ways to accomplish your goal.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Update: We managed to get this going with the below config
I have another question: We need to restrict receiving & sending all routes over the WWW Pri & WWW Sec internet interfaces and only accept the default route advertised.
We also have some public address ranges provided by our ISP ( previously routed to us using static routes on their core) but we now need to advertise these public ranges to them, These are not configured on connected interfaces on our FortiGate.
Any help or point me in the right direction would be apprecated
Config used for the BGP setup:
config router route-map edit "Secondary_ISP_WWW" config rule edit 1 set set-aspath "4200002028 4200002028 4200002028" next end next end config router route-map edit "Secondary_ISP_WAN" config rule edit 1 set set-aspath "4200002027 4200002027 4200002027" next end next end Route-map that sets higher local preference for prefixes received from Primary ISP: config router route-map edit "Primary_ISP_WWW" config rule edit 1 set set-local-preference 200 set set-aspath "4200002028" next end next end config router route-map edit "Primary_ISP_WAN" config rule edit 1 set set-local-preference 200 set set-aspath "4200002027" next end next end The route-maps are applied to both BGP neighbors: config router bgp set as 4200002027 config neighbor edit "x.x.x.66" set remote-as 4200000533 set local-as 4200002027 set route-map-in “Primary_ISP_WAN” next edit "x.x.x.60" set remote-as 4200000533 set local-as 4200002027 set route-map-out "Secondary_ISP_WAN" next end config router bgp set as 4200002028 config neighbor edit "x.x.x.8" set remote-as 4200000531 set route-map-in “Primary_ISP_WWW” next edit "x.x.x.2" set remote-as 4200000531 set route-map-out "Secondary_ISP_WWW" next end end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to split route-maps to 1) receiving and 2) advertisement, then 1) is applied to "route-map-in" and 2) is applied to "route-map-out" for each neighbor.
Obviously the local pref setting is in 1), then AS prepending is in 2) like in the KB: https://kb.fortinet.com/k....do?externalID=FD39448
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To accept only default route in 1), you can do like below: config router prefix-list edit "DEFAULT_ROUTE" config rule edit 1 set prefix 0.0.0.0 0.0.0.0 unset ge unset le next
[size="2"] end next end[/size]
config router route-map edit “DEFAULT_ONLY_P” config rule edit 1 set match-ip-address "DEFAULT_ROUTE" set set-local-preference 200 next end
[size="2"][size="2"] next[/size][/size]
[size="2"][size="2"] edit “DEFAULT_ONLY_S” config rule edit 1 set match-ip-address "DEFAULT_ROUTE" next end[/size][/size]
[size="2"][size="2"] next[/size][/size]
[size="2"][size="2"]end[/size][/size]
[size="2"][size="2"]Then use these with "set route-map-in" statement for each neighbor.[/size][/size]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I've updated the config below to include the default route. If this is correct?
I need to make sure the following also work
[ul]Also requested to advertise the following subnets to our internet-facing interfaces Primary_ISP_WWW & Secondary_ISP_WWW
What I need to advertise the below routes to our ISP. These IP's are for our internal websites behind the FortiGate with local IP ranges 10.x.x.0/24.
These routes have no connected interface on the FortiGate. We just had DNAT rules to the internal IP addresses of our web servers.
[ul]
Help on the final tweaks would be great! Toshi thanks for all your help so far.
Config updated with accepting only the default route on "Primary_ISP_WWW" & Secondary_ISP_WWW"
To accept only default route in 1 config router prefix-list edit "DEFAULT_ROUTE" config rule edit 1 set prefix 0.0.0.0 0.0.0.0 unset ge unset le next end next end config router route-map edit "Secondary_ISP_WWW" config rule edit 1 set set-aspath "4200002028 4200002028 4200002028" set match-ip-address "DEFAULT_ROUTE" next end next end config router route-map edit "Secondary_ISP_WAN" config rule edit 1 set set-aspath "4200002027 4200002027 4200002027" next end next end Route-map that sets higher local preference for prefixes received from Primary ISP: config router route-map edit "Primary_ISP_WWW" config rule edit 1 set set-local-preference 200 set match-ip-address "DEFAULT_ROUTE" set set-aspath "4200002028" next end next end config router route-map edit "Primary_ISP_WAN" config rule edit 1 set set-local-preference 200 set set-aspath "4200002027" next end next end The route-maps are applied to both BGP neighbors: config router bgp set as 4200002027 config neighbor edit "x.x.x.66" set remote-as 4200000533 set local-as 4200002027 set route-map-in “Primary_ISP_WAN” next edit "x.x.x.60" set remote-as 4200000533 set local-as 4200002027 set route-map-out "Secondary_ISP_WAN" next end config router bgp set as 4200002028 config neighbor edit "x.x.x.8" set remote-as 4200000531 set route-map-in “Primary_ISP_WWW” next edit "x.x.x.2" set remote-as 4200000531 set route-map-out "Secondary_ISP_WWW" next end end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I add this config to the above... Would this advertise the required below routes to my ISP
get | grep network-import-check network-import-check: enable config router bgp config network edit 1 set prefix 201.x.x.24 255.255.255.248 next edit 2 set prefix 201.x.x.192 255.255.255.248 next edit 3 set prefix 201.x.x.16 255.255.255.248 next edit 4 set prefix 101x.x.224 255.255.255.240 end This was mentioned that it's required to be disabled to advertise the routes as they don't have a connected interface. Config router bgp set network-import-check disable end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I didn't realize you have two FGTs terminating different vlans/circuits. Then Internet peering and WAN peering have separate sets of AS numbers. I don't think you can have multiple BGP instances (different ASNs) on one FGT unless you split it into multiple VDOMs. Since you have two FGTS, you should split two local ASNs with two FGTs, means one for Internet, and another for WAN. Then those two FGTs need to be iBGP peers each other to share the routes that the opposite side doesn't learn from the circuit.
Then as-path prepending is only for advertising routes. It wouldn't do anything with route-map-in.
At this point, it's a little too complicated than I can simply advise outside of my work without any fallouts. I would suggest you get help from FTNT TAC.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
No, we only have 1 FortiGate (HA Active-passive). This is connected to two Different managed internet connections.
Primary and secondary (failing over to secondary is Primary was to fail)
I Asked Fortinet support and no help what so ever just closed the ticket as nothing was faulty.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your description and drawing does not match and how are you planning to set 2 local-AS on a single fortigate ruing a config router bgp?
set as 4200002027
and
set as 4200002028
Next observation, what is your ISP actually sending you? partial/full or default only? if it's a default-only then you do not need route-maps
Next, are you trying to set aspath prepend on a in route-map ?
last observation this is a 300D, it's going croak or fall over if you think your going to ingest full-routes from 4 bgp peers.
Also btw FTNT support is not a design, consultation or solution team. Support is to fix and remediate support needs.
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Unable to sign installer package -... 45 Views
- Dialup L2TP IPSEC Dynamic routing after... 28 Views
- migrating to fortiswitch 47 Views
- SD-WAN(ish) design 40 Views
- Migrating FortiClient EMS from v7.2.x to... 132 Views
Labels
-
FortiGate
8,488 -
FortiClient
1,720 -
5.2
801 -
FortiManager
713 -
5.4
639 -
FortiAnalyzer
548 -
FortiSwitch
460 -
FortiAP
460 -
6.0
416 -
FortiClient EMS
409 -
5.6
362 -
FortiMail
309 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
222 -
FortiWeb
200 -
5.0
196 -
IPsec
187 -
FortiNAC
180 -
FortiGuard
136 -
6.4
128 -
SD-WAN
110 -
FortiGateCloud
100 -
FortiSIEM
98 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
75 -
Firewall policy
71 -
4.0MR3
64 -
FortiProxy
59 -
Fortivoice
53 -
FortiADC
53 -
High Availability
53 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiExtender
45 -
FortiSandbox
44 -
FortiDNS
42 -
Routing
40 -
DNS
40 -
BGP
39 -
LDAP
38 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
33 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
27 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
Web profile
24 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiPortal
19 -
SSL SSH inspection
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
Fortinet Engage Partner Program
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1662 | |
| 1077 | |
| 752 | |
| 443 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.