Technical Tip: The BGP Neighbor group password

• As shown in the below example, when FortiGate R3 is used as a BGP neighbor group, R3 will wait for the Router R4 to initiate the BGP peering and will listen for any inbound BGP peering from the 172.16.201.0/24 address range:

• Starting from Firmware v7.2.4 and v7.4.0, this type of BGP peering can be secured with a MD5 signature password, as shown below: 

On R3: 

config router bgp 

    config neighbor-group

        edit "FGT" 

            set remote-as 65010

            set password ENC <PASSWORD>

        next

    end

    config neighbor-range

        edit 1

            set prefix 172.16.201.0 255.255.255.0

            set neighbor-group "FGT"

        next

    end

end

On R4: 

config router bgp 

    config neighbor

        edit "172.16.201.1" 

            set remote-as 65010

            set password ENC <PASSWORD>

        next

    end

end

The password is set by default and activated as an encrypted password.

The default password cannot be unset.

1. Set password 12345678. It is possible to check the password.

config neighbor

edit 172.16.201.1

show

config neighbor

edit "172.16.201.1"

set remote-as 65010

set password ENC WVeBxKJWaYXRQkUKOXLz39OsU6v8HopE0GoA1xKLLGaOvFrpbarAkc+qfdF7kbyha+RJWj4QS4c2S1T7cmh309Bko/CRhsquwhG3cK84ANlrRseF+BAanufkZ6kO00fi8dNkpVyFDAXrmhRZb7kfM/yeZcfFFlWwoNWhTDmvpj9vXeOtPvyXr7O4eKVD6qUoAmuqvw==

next

end

2. Unset the password

unset password

show

config neighbor

edit "172.16.201.1"

set remote-as 65010

next

end

3. Under show full, an encrypted password can be seen again.
   

sh full-configuration

config neighbor

edit "172.16.201.1"

set advertisement-interval 30
set additional-path-vpnv4 disable
set password ENC zQk3RcSRSETEl1E7SW8MtAlzyWjyhsrIgCZzOEmzy3pl44cScy2iFAJvdp704+n6M+wiDaB35mQb2oHh7eLFqVQ9XPqKiUsmssmDV9DGq4XMYkpMOuPeZeyhtZjZMpII6oOJTD2qEdyRoulDCGZcwvskw2m1Wy8i6ms/mMO8CHd3GA3KnJsH7s69QFFq+QR3OLKLIA==

next

end

Related document:

BGP Neighbor Password.