FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article explains that VIP configuration can cause problems with BGP between two peers to come up.
Explanation.
With the following NAT configured, there will be issues faced with inbound traffic, as all traffic will destined to 10.20.10.10 will be translated to 192.168.1.1.
# config firewall vip edit "nat-in " set extip 10.20.10.10 set mappedip "192.168.1.1" set extintf "any" set arp-reply disable next end
BGP configuration.
# config router bgp set as xx set router-id 10.20.10.10 set graceful-restart enable # config neighbor edit "10.20.10.9" set interface "port1" set remote-as xx next end end
When BGP peering is established, the neighbors need to form a TCP connection on port 179. Local or remote BGP neighbor can initiate the TCP connection.
Consider the example as below:
1) BGP peering working if traffic initiated via FortiGate.
TCP connection is initiated via FortiGate so no issues are faced. Checking the port details in the output below, it shows as follow:
Local port: 10457 Foreign port: 179
FortiGate is using TCP port as 10457 and for remote BGP neighbor using port 179.
# get router info bgp neighbors 10.20.10.9 …… Connections established 3; dropped 2 External BGP neighbor may be up to 255 hops away. local host: 10.20.10.10, Local port: 10457 Foreign host: 10.20.10.9, Foreign port: 179 Nexthop: 10.20.10.10 Nexthop interface: ports
2) BGP peering not working if traffic initiated by Remote BGP Neighbor:
TCP connection is initiated by remote Peer and BGP peering may not come up. Checking the port details in the output below, it shows as follow:
Local port: 179 Foreign port: 8097
Remote BGP Neighbor is using TCP port as 8097 and is using port 179 for FortiGate.
# get router info bgp neighbors 10.20.10.9 …… Connections established 1; dropped 0 External BGP neighbor may be up to 255 hops away. local host: 192.168.1.1, Local port: 179 Foreign host: 10.20.10.9, Foreign port: 8097 Nexthop: 192.168.1.1 Nexthop interface: loopback
In the above output, it is possible to see that instead of local host as 10.20.10.10, the FortiGate is having local host as 192.168.1.1, which is the VIP mapped IP address. In addition, the next hop interface details are not correct.
Solution Solution can be as follows:
1) Do not configure the VIP to translate all traffic. All inbound connections, which in this case are for BGP, would be translated, and if the translated address is not configured as BGP peer, BGP peering will not come up.
2) FortiGate can initiate a TCP connection with the following command '# execute router clear bgp ip peer-ip x.x.x.x'. However, this is not the permanent solution because if BGP peering goes down and remote BGP neighbor again initiates the TCP connection, BGP peering will not come up.
