Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
syordanov
Staff
Staff

Created on ‎04-03-2024 06:20 AM

Article Id 306849

Technical Tip: Configure eBGP with Loopback Address

Description

This article describes how to configure FortiGate to establish an eBGP or iBGP using a Loopback interface.
Scope

FortiGate v7.0 or higher.
Solution

Diagram: eBGP between 2 FortiGates. One of them is used as a Loopback address:

 

 

diagram.JPG

 

The eBGP configuration for Fortigate_1:

 

config router bgp
    set as 65100
    set router-id 1.1.1.1
        config neighbor
            edit "10.10.99.2"
                set ebgp-enforce-multihop enable
                set remote-as 65101
             next
        end
    end

 

The eBGP configuration for Fortigate_2:


config router bgp
    set as 65101
    set router-id 2.2.2.2
        config neighbor
            edit "192.168.1.99"
                set ebgp-enforce-multihop enable
                set remote-as 65100
                set update-source "loopback_1"
            next
        end


    config network
        edit 1
            set prefix 10.10.4.0 255.255.255.0
        next
    end
        config redistribute "connected"
        end 
    end

 

  • Fortigate_2 advertises one of its connected networks 10.10.4.0/24.
  • Fortigate_1 does not advertise any network prefix.

 

Loopback configuration :

 

    edit "loopback_1"
        set vdom "root"
        set ip 10.10.99.2 255.255.255.255
        set allowaccess ping https ssh http
        set type loopback
        set role lan
        set snmp-index 15
    next

 

Because Fortigate_1 and Fortigate_2 are not directly connected, it is necessary to enable the ‘ebgp-enforce-multihop’ for every of the peers. With this option, the TTL is increased to 255. It allows to establish a session with neighbors that are more than one hop away.

By default, FortiGate will establish an eBGP or iBGP session only with directly connected neighbors. In this case, the eBGP peers are not in the same subnet.

Once the ‘ebgp-enforce-multihop’ is enabled, it is possible to configure the ‘ebgp-multiho-ttl’ from a default value of 255 to another value to restrict the distance between eBGP hops and prevent BGP Hijacking.

 

BGP status on Fortigate_1 :

 

get router info bgp  summary
VRF 0 BGP router identifier 1.1.1.1, local AS number 65100
BGP table version is 1
1 BGP AS-PATH entries
0 BGP community entries
Neighbor   V         AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.10.99.2 4      65101      33      27        0    0    0 00:01:42        1

Total number of neighbors 1

 

BGP routes advertised by Fortigate_2:

 

get router info routing-table bgp

Routing table for VRF=0
B       10.10.4.0/24 [20/0] via 10.10.99.2 (recursive via 192.168.1.121, lan), 00:01:19, [1/0]

 

BGP status on Fortigate_2 :

 

get router info bgp  summary

VRF 0 BGP router identifier 2.2.2.2, local AS number 65101
BGP table version is 1
1 BGP AS-PATH entries
0 BGP community entries

Neighbor     V         AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
192.168.1.99 4      65100      53      61        1    0    0 00:26:45        0

Total number of neighbors 1

 

Ensure that Fortigate_1 and Fortigate_2 have valid routes to the remote eBGP peer.
279
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.