Description |
This article describes how to configure FortiGate to establish an eBGP or iBGP using a Loopback interface. |
Scope |
FortiGate v7.0 or higher. |
Solution |
Diagram: eBGP between 2 FortiGates. One of them is used as a Loopback address:
The eBGP configuration for Fortigate_1:
config router bgp
The eBGP configuration for Fortigate_2:
Loopback configuration :
edit "loopback_1"
Because Fortigate_1 and Fortigate_2 are not directly connected, it is necessary to enable the ‘ebgp-enforce-multihop’ for every of the peers. With this option, the TTL is increased to 255. It allows to establish a session with neighbors that are more than one hop away. By default, FortiGate will establish an eBGP or iBGP session only with directly connected neighbors. In this case, the eBGP peers are not in the same subnet. Once the ‘ebgp-enforce-multihop’ is enabled, it is possible to configure the ‘ebgp-multiho-ttl’ from a default value of 255 to another value to restrict the distance between eBGP hops and prevent BGP Hijacking.
BGP status on Fortigate_1 :
get router info bgp summary Total number of neighbors 1
BGP routes advertised by Fortigate_2:
get router info routing-table bgp Routing table for VRF=0
BGP status on Fortigate_2 :
get router info bgp summary VRF 0 BGP router identifier 2.2.2.2, local AS number 65101 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd Total number of neighbors 1
Ensure that Fortigate_1 and Fortigate_2 have valid routes to the remote eBGP peer. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.