How to steering BGP traffic on SDWAN Spoke to Hub

tnxxxx59 · ‎01-12-2025

Dear all,

I have diagram as below:

--------- tunnel 01 --------------

Hub (lo0) (Lo0) Spoke

---------- tunnel 02 -------------

I am using BGP on loopback to set up routing via 2 Tunnels. (FortiOS 7.4.4)

And I try to set up SD-WAN Rule to steering BGP traffic (Keepalive, updates...) via tunnel02.

In the sd-wan rule: I set: source is Lo0 of spoke and destination is Lo0 of Hub, Outgoing interface: i used Manual : Tunnel02 is first order and tunnel 01 is last order. Member is 2 tunnel interface SD-WAN zone.

But after that, I can not see any hit count on the sd-wan rule, and diagnose packet port 179 : traffic still via tunne01.

I am wondering what is my mistaken ? (or BGP update processed by SDWAN rules ?)

(I have another sd-wan rule to allow all (all source and all destination), used SLA health-check, it's is working because I saw lot of hit count)

stroia · ‎01-21-2025

No, BGP traffic is considered local traffic so is not managed by SD-WAN rules, I suggest to remove the add route option from IPSec configuration https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-add-automatic-route-towards-the-rem... and add ad hoc static routes for the loopback address configuring a lower distance for the route pointing to the tunnel that you want to prefer.

BR

Seba

Sebastiano Troia
Certified: FCSS Network Security

View solution in original post

Jean-Philippe_P · ‎01-15-2025

Hello tnxxxx59,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Jean-Philippe - Fortinet Community Team

Jean-Philippe_P · ‎01-17-2025

Hello,

We are still looking for an answer to your question.

We will come back to you ASAP.

Thanks,

Jean-Philippe - Fortinet Community Team

stroia · ‎01-20-2025

Hello,

Regarding you question have you created necessary firewall policy to permit the traffic between the loopback interface and the SD-WAN rule as explained here https://docs.fortinet.com/document/fortigate/7.6.1/administration-guide/853005/loopback-interface ?

If yes, have you checked if routing to reach the loopback of the remote peer is ok?

If yes I suggest to check the BGP traffic logs and the SD-WAN rule status as explained here: https://docs.fortinet.com/document/fortigate/7.6.1/administration-guide/818746/sd-wan-related-diagno... to understand what’s going wrong

Regards

Seba

Sebastiano Troia
Certified: FCSS Network Security

tnxxxx59 · ‎01-21-2025

Hi @stroia

Thank for your information,

I mean BGP is working fine, but I want to steering BGP traffic use SDWAN rules, example: I have 2 tunnels, 01 and 02. And I want to steering BGP traffic via Tunnel02. And I did as I mentioned above, and then check, then see BGP traffic still via Tunnel01 . So my question, SDWAN rule dont take care BGP traffic (BGP keepalive, update ....) ?

stroia · ‎01-21-2025

No, BGP traffic is considered local traffic so is not managed by SD-WAN rules, I suggest to remove the add route option from IPSec configuration https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-add-automatic-route-towards-the-rem... and add ad hoc static routes for the loopback address configuring a lower distance for the route pointing to the tunnel that you want to prefer.

BR

Seba

Sebastiano Troia
Certified: FCSS Network Security

tnxxxx59 · ‎01-21-2025

Hi @stroia

Thank you so much ! its make sense

How to steering BGP traffic on SDWAN Spoke to Hub

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website