Home

Mastering BGP on FortiGate: A Complete Guide to Configuration and Troubleshooting

.

In today's interconnected network environments, the Border Gateway Protocol (BGP) has evolved from a specialized internet routing protocol to a critical component of enterprise networking. FortiGate firewalls leverage BGP's powerful capabilities to enable sophisticated multi-homed internet connections, dynamic site-to-site routing, and seamless integration with cloud platforms like Microsoft Azure.

This comprehensive guide synthesizes official Fortinet documentation with real-world community insights to provide network administrators with both the foundational knowledge and practical implementation details needed to successfully deploy BGP in diverse FortiGate environments. Whether you're establishing iBGP over VPN tunnels or configuring eBGP with ISPs, understanding these principles is crucial for building resilient, scalable networks.

Understanding BGP Fundamentals on FortiGate

Core Concepts: iBGP vs. eBGP

FortiGate firewalls support both internal BGP (iBGP) for routing within the same autonomous system and external BGP (eBGP) for exchanging routes between different autonomous systems. The distinction is critical:

  • iBGP is typically used between FortiGate devices in the same organization, often over VPN connections. Routes learned via iBGP have an administrative distance of 200 and require special considerations like next-hop-self configurations.
  • eBGP connects your FortiGate to external networks like ISP routers or cloud providers. eBGP-learned routes have an administrative distance of 20, making them preferred over iBGP routes.

Essential BGP Components

Before diving into configuration, ensure these prerequisites are met:

  1. Advanced Routing feature enabled in System > Feature Visibility
  2. Stable IP connectivity between BGP peers (direct or via VPN)
  3. Unique Autonomous System Numbers (ASN) - private ASNs (64512-65514) for internal use
  4. Proper firewall policies allowing TCP port 179 and established/related sessions

Practical Implementation Scenarios

Scenario 1: iBGP Over VPN Between Branch Offices

According to Fortinet's administration guide for versions 7.6.5 and 7.6.6, configuring iBGP over VPN involves these key steps:

FortiGate A Configuration:

config router bgp     set as 64511     set router-id 1.1.1.1     config neighbor         edit "10.100.201.88"             set remote-as 64511             set update-source "toFGTB"         next     end     config network         edit 1             set prefix 192.168.86.0 255.255.255.0         next     end end

FortiGate B Configuration:

config router bgp     set as 64511     set router-id 2.2.2.2     config neighbor         edit "10.100.201.86"             set remote-as 64511             set update-source "toFGTA"         next     end     config network         edit 1             set prefix 192.168.88.0 255.255.255.0         next     end end

The update-source parameter is crucial when peering over VPN interfaces, as it ensures the BGP session uses the correct source IP address. Without this, the peering will fail as the neighbor expects connections from a specific interface IP.

Scenario 2: Multi-Homed Internet with ISP Failover

LabTinker's 2023 implementation demonstrates a real-world multi-homed setup where a FortiGate pair connects to two ISPs. Key configuration elements include:

  1. Prefix Lists for Route Control: Only accepting default routes from ISPs to avoid routing table overload:

    config router prefix-list     edit "accept-default"     config rule         edit 1             set prefix 0.0.0.0 0.0.0.0             unset ge             unset le         next     end

  2. AS-Path Prepending for Path Preference: Making one ISP path less preferred by artificially lengthening the AS path:

    config router route-map     edit "prepend-out"     config rule         edit 1             set set-aspath "1680 1680"         next     end

  3. Route Advertisement Control: Carefully managing which internal prefixes are advertised to ISPs using prefix lists with length qualifications.

Scenario 3: Azure Site-to-Site VPN with BGP

The Fortinet community discussion reveals common challenges when integrating FortiGate with Azure VPN Gateway. Key implementation details include:

  1. Virtual Tunnel Interface Configuration: Azure requires specific tunnel interface settings for BGP:

    • Set addressing mode to "Manual"
    • Assign a dedicated /32 IP not in your advertised networks (e.g., 10.255.255.1)
    • Configure the remote IP as Azure's BGP peer IP with a /32 mask

  2. BGP Neighbor Configuration:

    config router bgp     set as 65514     set router-id 10.255.255.1     config neighbor         edit "192.168.16.254"             set soft-reconfiguration enable             set remote-as 65515             set update-source "Azure-Tunnel-Interface"         next     end

  3. Critical Azure-Side Configuration: BGP must be enabled at three Azure levels: VPN Gateway, Local Network Gateway, and the Connection resource itself.

Advanced Configuration Techniques

Route Optimization and Traffic Engineering

FortiGate's BGP implementation supports several advanced features for optimal routing:

  1. Next-Hop-Self: Essential for iBGP when advertising eBGP-learned routes, ensuring the next-hop is reachable:

    config router bgp     config neighbor         edit "10.100.201.88"             set next-hop-self enable         next     end end

  2. Route Maps for Policy Control: Filtering routes based on various attributes:

    config router route-map     edit "exclude1"     config rule         edit 1             set action deny             set match-origin igp         next     end

  3. Best Path Selection Tuning: Enabling IBGP multipath and additional path support for load balancing.

SD-WAN Integration

The Fortinet SD-WAN Deployment Guide for version 7.0.0 highlights how BGP integrates with SD-WAN architectures:

  • Multiple BGP neighbors over different VPN interfaces (WAN1, WAN2)
  • Keepalive/Hold Timer Optimization: Reducing default timers for faster failover (5/15 seconds vs. standard 60/180)
  • Route redistribution between BGP and SD-WAN rules for dynamic path selection

Troubleshooting Common BGP Issues

Diagnostic Commands and Interpretation

When BGP peering fails, systematically check these areas:

  1. Basic Connectivity: Ensure TCP port 179 is reachable between peers
  2. Session Status: Use get router info bgp neighbors to check BGP state
  3. Route Exchange: Verify with get router info bgp network and get router info routing-table all

Common BGP States and Solutions

BGP State Likely Cause Recommended Action
Idle BGP process not started Check if peer is multiple hops away without ebgp-multihop enabled
Connect TCP connection not initiated Verify routing to peer IP address
Active TCP connection attempted, no response Check ACLs, firewall policies, and packet capture with diagnose sniffer packet any 'tcp and port 179'
Established Session operational Verify route exchange and next-hop reachability

Community Insights on Azure BGP Issues

The Fortinet Community discussion highlights several Azure-specific challenges:

  • APIPA addresses (169.254.x.x) may be used for BGP peering
  • Static route conflicts can prevent BGP-learned routes from installing
  • Route redistribution of connected networks to Azure may not be necessary or desirable

Performance Considerations and Best Practices

  1. Memory Management: Enable "soft reconfiguration" and "route refresh" only when needed, as they increase memory usage
  2. Timer Tuning: Adjust keepalive/hold timers based on link stability requirements
  3. Prefix Aggregation: Advertise summarized routes where possible to reduce table size
  4. Route Filtering: Use prefix lists and route maps extensively to control route propagation
  5. Monitoring: Implement regular checks of BGP session status and route table changes

Conclusion: Building Robust BGP Implementations

Successfully implementing BGP on FortiGate requires understanding both the protocol fundamentals and FortiOS-specific implementation details. By combining the structured approach from official documentation with real-world insights from community experiences, network administrators can build resilient, scalable routing architectures.

Whether connecting branch offices over VPN, establishing multi-homed internet connectivity, or integrating with cloud platforms, FortiGate's BGP capabilities provide the flexibility needed for modern network designs. Remember that BGP is a "configure and verify" protocol—thorough testing and monitoring are essential for maintaining stable routing environments.

Frequently Asked Questions (FAQ)

How do I enable BGP on my FortiGate firewall?

First, enable the Advanced Routing feature in System > Feature Visibility. Then navigate to Network > BGP to begin configuration. If the BGP menu isn't visible, you must enable it in the feature visibility settings first.

What's the difference between iBGP and eBGP on FortiGate?

iBGP is used between routers within the same autonomous system (same AS number), typically over VPN connections. eBGP is used between different autonomous systems, such as between your FortiGate and an ISP router. iBGP routes have an administrative distance of 200, while eBGP routes have a distance of 20.

Why is my BGP session stuck in "Active" state?

The "Active" state indicates your FortiGate has initiated a TCP connection but received no response. Check firewall policies, network ACLs, and ensure the remote peer is configured correctly. Use diagnose sniffer packet any 'tcp and port 179' to see if BGP packets are being transmitted and received.

How do I configure BGP for Azure VPN Gateway?

You need to: 1) Configure the VPN tunnel interface with manual addressing using a /32 IP not in your advertised networks, 2) Set the remote IP as Azure's BGP peer IP, 3) Configure BGP neighbors with the correct AS numbers, 4) Enable BGP on three Azure resources: VPN Gateway, Local Network Gateway, and the Connection resource.

Can I use BGP for load balancing across multiple ISPs?

Yes, FortiGate supports ECMP (Equal-Cost Multi-Path) for BGP routes. Enable "IBGP multi path" in the Best Path Selection section, and ensure you receive the same routes from multiple ISPs. For active-active load balancing, you may need to use local preference or AS-path manipulation to ensure route equality.

How do I troubleshoot BGP route advertisement issues?

Check: 1) Prefix lists and route maps for filtering, 2) Whether networks are configured in the BGP network section, 3) Redistribution settings if using route redistribution, 4) Use get router info bgp neighbors x.x.x.x advertised-routes to see what's being sent, and received-routes to see what's being received.

What are "soft reconfiguration" and "route refresh"?

Both are capabilities that allow for non-disruptive BGP policy changes. "Soft reconfiguration" stores received routes locally, enabling policy changes without resetting the BGP session. "Route refresh" allows dynamic request of route updates. Enable both unless working with memory constraints or very large routing tables.