FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mthakur01
Staff
Staff
Article Id 192609

Purpose
This article describes BGP advertisement example in a BGP Multi-home setup.

Click here for more information on Advanced Routing.

Diagram


ISP-1 & ISP-2 FortiGates, are advertising only default route (0.0.0.0/0) to FortiGate1 (FGT1). With BGP “local-preference” attribute, default route learned from ISP-1 (Primary) is preferred over ISP-2(Backup). When ISP-1 link is down, default route is learned from ISP-2.

Expectations, Requirements
Customer wants to advertise a local network 10.163.0.0/24 behind FortiGate1 to active ISP only. If ISP-1 link (Primary) is active, then FortiGate must not advertise 10.163.0.0/24 to ISP-2.

It should advertise network 10.163.0.0/24 to ISP-2 only when it isn’t learning default route (0.0.0.0/0) from Primary ISP-1 (AS 65002). Scenario when ISP-1 has issues and is unreachable.

Configuration
To achieve this, easiest option is to use BGP conditional advertisement with match as-path option. Another option is “match community-list” but that’s not covered in this article.

Here is the complete BGP configuration of FortiGate1:

Step 1: Create necessary prefix lists:

config router prefix-list
    edit "DEFAULT_ROUTE"

        config rule
            edit 1
                set prefix 0.0.0.0 0.0.0.0
                unset ge
                unset le
            next
    edit "NET_10.163"
        config rule
            edit 1
                set prefix 10.163.0.0 255.255.255.0
                unset ge
                unset le
            next
        end
    next
end

Step 2: Configure AS-Path list. This AS-path list will be used to match default route learned from AS 65002 only.

config router aspath-list
    edit "MATCH-65002"
        config rule
            edit 1
                set action permit
                set regexp "^65002_"   
            next
        end
    next
end

Note: Regexp “^65002_” means learned from AS 65002

Step 3: Configure route map entries

config router route-map
    edit "DEFAULT_NET_0.0.0.0"   
        config rule
            edit 1
                set match-as-path "MATCH-65002"
                set match-ip-address "DEFAULT_ROUTE"  
            next
        end
    next
    edit "MY_NET_10.163"
        config rule
            edit 1
                set match-ip-address "NET_10.163"
            next
        end
    next
end

Step 4: Configure BGP on FortiGate1 including conditional advertise under neighbor 10.56.240.101 (ISP-2).

config router bgp
    set as 65001
    set router-id 100.100.100.100
    config neighbor
        edit "10.56.244.104"
        set remote-as 65002
        set route-map-in "DEFAULT_ONLY”
        next
        edit "10.56.240.101"
            set remote-as 65003
            config conditional-advertise
                edit "MY_NET_10.163"
                    set condition-routemap "DEFAULT_NET_0.0.0.0"
                    set condition-type non-exist
                next
            end
        next
    end
    config network
        edit 1
            set prefix 10.163.0.0 255.255.255.0
        next
    end
end

Additional Info: route-map “DEFAULT_ONLY” is used to allow only default route and set local-preference of 300 so that default route learned from ISP-1 (Primary) is preferred over ISP-2 when both ISP links are Up.

Configuration of route-map “DEFAULT_ONLY” used in the BGP configuration

config router route-map
    edit “DEFAULT_ONLY”
        config rule
            edit 1
                set match-ip-address "DEFAULT_ROUTE"
                set set-local-preference 300
            next
        end



Verification
Execute the following command to see both BGP peers are up:

FGT1# get router info bgp summary
BGP router identifier 100.100.100.100, local AS number 65001
BGP table version is 2
3 BGP AS-PATH entries
0 BGP community entries

Neighbor        V         AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.56.240.101   4      65003     165     177        2    0    0 01:47:39        1
10.56.244.104   4      65002    2504    3096        2    0    0 00:01:32        1

Total number of neighbors 2

Condition route map:
  DEFAULT_NET_0.0.0.0root, state 1, use 2

FortiGate1 (FGT1) is learning default route from both the ISPs but is preferring the one from ISP-1 (10.56.244.104: Primary) as it has a high local preference (300).

FGT1# get router info bgp network 0.0.0.0

BGP routing table entry for 0.0.0.0/0

Paths: (2 available, best #1, table Default-IP-Routing-Table)
  Advertised to non peer-group peers:
   10.56.240.101
  65002
    10.56.247.254 from 10.56.244.104 (10.56.244.104)
      Origin incomplete metric 0, localpref 300, valid, external, best
      Last update: Wed Jul  3 12:09:24 2019

  65003
    10.56.243.254 from 10.56.240.101 (10.56.240.101)
      Origin incomplete metric 0, localpref 100, valid, external
      Last update: Wed Jul  3 10:23:14 2019

FGT1# get router info routing-table bgp

B*      0.0.0.0/0 [20/0] via 10.56.247.254, port1, 00:05:06

As per BGP conditional advertise config, FGT1 is advertising 10.163.0.0/24 to peer 10.56.244.104 and not to 10.56.240.101 (ISP-2).

FGT1# get router info bgp neighbors 10.56.244.104 advertised-routes

BGP table version is 4, local router ID is 100.100.100.100

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop                    Metric   LocPrf   Weight   Path
*> 10.163.0.0/24    10.56.244.100                         100     32768      i

Total number of prefixes 1

FGT1# get router info bgp neighbors 10.56.240.101  advertised-routes

BGP table version is 4, local router ID is 100.100.100.100

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop
                    Metric   LocPrf   Weight   Path

Total number of prefixes 0

Now, WAN Link connected to ISP-1 is down and BGP peer 10.56.244.104 is down.

FGT1# get router info bgp summary
BGP router identifier 100.100.100.100, local AS number 65001
BGP table version is 5
2 BGP AS-PATH entries
0 BGP community entries

Neighbor        V         AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.56.240.101   4      65003     177     190        5    0    0 01:57:55        1
10.56.244.104   4      65002    2515    3108        0    0    0    never Active

Total number of neighbors 2

Condition route map:
  DEFAULT_NET_0.0.0.0root, state 0, use 3

As Primary ISP link is down, FGT1 is now learning default route from ISP-2 (10.56.240.101). 

FGT1# get router info routing-table  bgp
B*      0.0.0.0/0 [20/0] via 10.56.243.254, port2, 00:01:25

FGT1# get router info bgp network 0.0.0.0

BGP routing table entry for 0.0.0.0/0
Paths: (1 available, best #1, table Default-IP-Routing-Table)
  Not advertised to any peer
  65003
    10.56.243.254 from 10.56.240.101 (10.56.240.101)
      Origin incomplete metric 0, localpref 100, valid, external, best
      Last update: Wed Jul  3 10:23:14 2019

It is also advertising 10.163.0.0/24 to ISP-2 as per conditional advertisement configuration.

FGT1# get router info bgp neighbors 10.56.240.101 advertised-routes
BGP table version is 5, local router ID is 100.100.100.100
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop                    Metric   LocPrf   Weight   Path

*> 10.163.0.0/24    10.56.240.100                        100       32768    i

Total number of prefixes 1

Condition is to advertise 10.163.0.0/24 to ISP-2 (10.56.240.101) only if FGT1 isn’t learning a default route 0.0.0.0/0 from AS 65002.

Note: If an AS-Path list is not created, then BGP conditional advertise configuration won’t work. FGT1 won’t advertise its local network to ISP-2.

Once Link to Primary ISP-1 is up again, FGT will learn default route from AS 65002 (peer 10.56.244.104) and because of conditional advertise configuration it will stop advertising 10.163.0.0/24 to ISP-2 (10.56.240.101).

ISP-1 is up again

FGT1# get router info bgp summary
BGP router identifier 100.100.100.100, local AS number 65001
BGP table version is 6
3 BGP AS-PATH entries
0 BGP community entries

Neighbor        V         AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.56.240.101   4      65003     185     198        6    0    0 02:05:05        1
10.56.244.104   4      65002    2518    3111        6    0    0 00:00:44        1

Total number of neighbors 2
Condition route map:
  DEFAULT_NET_0.0.0.0root, state 1, use 3

FGT1 is again learning default route from ISP-1 peer (10.56.244.104).

FGT1# get router info routing-table  bgp
B*      0.0.0.0/0 [20/0] via 10.56.247.254, port1, 00:01:47

FGT1# get router info bgp network 0.0.0.0
BGP routing table entry for 0.0.0.0/0
Paths: (2 available, best #1, table Default-IP-Routing-Table)
  Advertised to non peer-group peers:
   10.56.240.101
  65002
    10.56.247.254 from 10.56.244.104 (10.56.244.104)
      Origin incomplete metric 0, localpref 300, valid, external, best
      Last update: Wed Jul  3 12:27:37 2019

  65003
    10.56.243.254 from 10.56.240.101 (10.56.240.101)
      Origin incomplete metric 0, localpref 100, valid, external
      Last update: Wed Jul  3 10:23:14 2019

Again, subnet 10.163.0.0/20 isn’t advertised to ISP-2 (10.56.240.101)

FGT1# get router info bgp neighbors  10.56.240.101 advertised-routes
BGP table version is 6, local router ID is 100.100.100.100
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop                    Metric   LocPrf   Weight   Path

Total number of prefixes 0


FGT1# get router info bgp neighbors  10.56.244.104  advertised-routes
BGP table version is 6, local router ID is 100.100.100.100
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop                    Metric   LocPrf   Weight   Path
*> 10.163.0.0/24    10.56.244.100                         100      32768    i

Total number of prefixes 1

 

Contributors