Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Cookbook

    5.6.0
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.0
    6.0.0
    5.6.0
    5.4.0

    Implementing route discovery with BGP

    Implementing route discovery with BGP

    Network route discovery is facilitated by BGP and EBGP, which prevent the redistribution of routes learned that are contained in the same autonomous system number as the host. Also, EBGP influences route selection on the branches because of AS-Path prepending.

    Enable ebgp-multipath to allow the FortiGate to dynamically discover multiple paths for networks advertised at branches.

    Configure neighbor-range and neighbor-group to allow peering relationships to be established without defining each individual peer. The branch IPsec VPN tunnel interface addresses must be in the BGP peer range.

    The BGP configuration includes:
    • Enabling ebgp-multipath
    • Enabling soft-reconfiguration, link-down-failover, and ebgp-enforce-multihop for each BGP peer in the neighbor group
    • Adding the branch remote-as (which is 65501) to each peer configuration
    • Setting the prefix for the neighbor range to the network matching the BGP peers
    • Configuring a network with the prefix of the network advertised into BGP

    To facilitate the fastest route failovers, the following timers are set to their lowest values:

    • scan-time
    • advertisement-interval
    • keep-alive timer
    • holdtime-timer

    config router bgp

    set as 65500

    set router-id 10.10.0.1

    set ebgp-multipath enable

    set scan-time 5

    set graceful-restart enable

    config neighbor-group

    edit "branch-peeers-1"

    set advertisement-interval 1

    set link-down-failover enable

    set soft-reconfiguritation enable

    set remote-as 65501

    set keep-alive-timer 1

    set holdtime-timer 3

    set ebgp-enforce-multihop enable

    next

    edit "branch-peers-2"

    set advertisment-inteval 1

    set link-downfailover enable

    set remote-as 65501

    set keep-alive-timer 1

    set holdtime-timer 3

    set ebgp-enforce-multihop enable

    next

    end

    config neighbor-range

    edit 1

    set prefix 10.254.0.0 255.255.255.0

    set neighbor-group "branch-peers-1"

    next

    edit 2

    set prefix 10.254.1.0 255.255.255.0

    set neighbor-group "branch-peers-2"

    next

    end

    config network

    edit 1

    set prefix 10.200.1.0 255.255.255.0

    next

    edit 2

    set prefix 10.200.0.0 255.255.255.0

    next

    edit 3

    set prefix 10.200.3.0 255.255.255.0

    next

    end

    end

    Previous
    Next

    Implementing route discovery with BGP

    Implementing route discovery with BGP

    Network route discovery is facilitated by BGP and EBGP, which prevent the redistribution of routes learned that are contained in the same autonomous system number as the host. Also, EBGP influences route selection on the branches because of AS-Path prepending.

    Enable ebgp-multipath to allow the FortiGate to dynamically discover multiple paths for networks advertised at branches.

    Configure neighbor-range and neighbor-group to allow peering relationships to be established without defining each individual peer. The branch IPsec VPN tunnel interface addresses must be in the BGP peer range.

    The BGP configuration includes:
    • Enabling ebgp-multipath
    • Enabling soft-reconfiguration, link-down-failover, and ebgp-enforce-multihop for each BGP peer in the neighbor group
    • Adding the branch remote-as (which is 65501) to each peer configuration
    • Setting the prefix for the neighbor range to the network matching the BGP peers
    • Configuring a network with the prefix of the network advertised into BGP

    To facilitate the fastest route failovers, the following timers are set to their lowest values:

    • scan-time
    • advertisement-interval
    • keep-alive timer
    • holdtime-timer

    config router bgp

    set as 65500

    set router-id 10.10.0.1

    set ebgp-multipath enable

    set scan-time 5

    set graceful-restart enable

    config neighbor-group

    edit "branch-peeers-1"

    set advertisement-interval 1

    set link-down-failover enable

    set soft-reconfiguritation enable

    set remote-as 65501

    set keep-alive-timer 1

    set holdtime-timer 3

    set ebgp-enforce-multihop enable

    next

    edit "branch-peers-2"

    set advertisment-inteval 1

    set link-downfailover enable

    set remote-as 65501

    set keep-alive-timer 1

    set holdtime-timer 3

    set ebgp-enforce-multihop enable

    next

    end

    config neighbor-range

    edit 1

    set prefix 10.254.0.0 255.255.255.0

    set neighbor-group "branch-peers-1"

    next

    edit 2

    set prefix 10.254.1.0 255.255.255.0

    set neighbor-group "branch-peers-2"

    next

    end

    config network

    edit 1

    set prefix 10.200.1.0 255.255.255.0

    next

    edit 2

    set prefix 10.200.0.0 255.255.255.0

    next

    edit 3

    set prefix 10.200.3.0 255.255.255.0

    next

    end

    end

    Previous
    Next