It is actually quite simple of a setup, even if you didn't configure BGP before:
Set up Fortigate (FGT) WAN interfaces with relevant /30 IPs and verify the links and IPs work fine - pinging point-to-point, loading line with laptop if it is a new line.
Configure BGP on the FGT
Regarding BGP - as this is a small (/29) pool, it means you are getting Provider Assigned (PA) IPs, not your own AS numbered, so you will have to set on your side Private AS, say 65001. Also, you should ask your provider whether you need to add AS Path prepends for the /29 you advertise via Backup line or they will do this backup/main line manipulation on their side. If they say you should advertise /29 with prepends over the Backup line, this will add route-map config on your FGT. If not - it is the most basic set up at all.
E.g. let's say Main Line IP is 18.104.22.168/30 and is set on port1 in FGT, and Backup line is 22.214.171.124/30 on the port2 in FGT, AS number of your ISP is AS 1680, and you advertise 10.10.10.0/29 which is configured as directly connected on the FGT, then :
config sys int
set ip 126.96.36.199/30
set ip 188.8.131.52/30
1. Route-map to add prepends
config router route-map
edit 1set set-aspath "65001 65001"
2. BGP neighboring
config router bgp
set as 65001
edit "184.108.40.206"set remote-as 1680set weight 10
edit "220.127.116.11"set remote-as 1680set route-map-out "prepend-out"
config redistribute "connected"set status enable
How do I pass 10.10.10.0/29 as connected ? Also, if I enable "resdistribute connected", I have other links coming up (a couple of MPLS), will these be redistributed as well ? If yes, How do I avoid them ?
Thanks for the help. Much appreciated. The links just got delivered and will test these soon.
We are also getting a couple of MPLS links in a similar fashion. Active/Standby, They give out a single Private ASN for both the links, will this affect my Internet side configs ?
MPLS has 10.0.0.1/30 and 10.0.1.1/30 and is connected to HQ. Branch LAN subnet 192.168.0.0/16 and HQ subnet is 172.26.0.0/21
To me, using "prefix-list" in route-maps is more popular than using "access-list" as in the admin guide.
Also use "local-preference" (set-local-preference) to change the default value (100) to make routes from a specific neighbor higher or lower than the other to control outgoing direction of traffic.To manipulate the opposite direction, you need to ask the network providers what you should do if they haven't told you already. Either none is needed, or need communities, or AS prepend might be needed. Completely up to them.
The funny thing about ACLs for filtering routes in FGT - they accept prefix notation just as happily as bitmask, so even if using ACL you can specify 10.10.10.0/24 instead of 10.10.10.0 0.0.0.255 and turn it into a prefix-list ))
"redistribute connected" - yes, by default it will include all connected routes on this FGT. You can filter what to redistribute or not with route-map, but
THe 1st question though - how are you going to use this routed 10.10.10.0/29? Do you intend on using it on the FGT itself for NAT/VIPs (static/port forward) or route this pool as is further into LAN?
Adding MPLS links - will be fine with FGT, only that there can be just a single AS number process on the FGT, i.e. if you set up BGP peering with ISP using AS 65001 on your side, you cannot configure additional AS (say 65002) to be used on your side for MPLS. In other words - MPLS provider cannot give just any private AS to be your local AS, provided you already configured BGP with private AS for ISP connection. You have to tell them that you already have private AS such and such, so will use it. THere is a workaround for this set local-as that will not change locally configured AS, but will alow you to add another AS after it - unnecessary complication IMO. Here is explanation https://community.fortinet.com/t5/FortiGate/Technical-Note-BGP-multiple-local-AS-configuration-and/t...
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.