Technical Note - How To Use BGP and SD-WAN For Advertising Routes and Path Selection in FortiGate
Technical Note - How To Use BGP and SD-WAN For Advertising Routes and Path Selection in FortiGate
Technical Note - How To Use BGP and SD-WAN For Advertising Routes and Path Selection in FortiGate
externalId=FD41389&sliceId=1
Technical Note: How to use BGP and SD-WAN for advertising routes and
path selection in FortiGate
Products
FortiGate
FortiGate v6.0
Purpose
This article describes how to use BGP to advertise routes and SD-WAN for path selection.
Scope
Diagram
Expectations, Requirements
Branch has 1 Internet connection with 2 Ipsec tunnels toward HQ ISP1 and HQ ISP2.
- VPN 1 on ISP1: HQ Tunnel IP 1.1.1.1; Branch Tunnel IP 1.1.1.2
- VPN 2 on ISP2: HQ Tunnel IP 2.2.2.1; Branch Tunnel IP 2.2.2.2
HQ routing logic :
Branch advertises its subnet with a BGP community:
10.119.0.0/20 → BGP Community 2:1
HQ will then apply SD-WAN rules based on the source address and route tag:
- route tag 21 and source 10.118.0.0/20 → VPN 1 as primary path, VPN 2 as secondary path
- route tag 21 and source 10.111.0.0/20 → VPN 2 as primary path, VPN 1 as secondary path
- routes without tag (Internet access) → port1 as primary path, port2 as secondary path
1 of 13 2/10/2020, 12:44 PM
Technical Note: How to use BGP and SD-WAN for advertising routes an... https://kb.fortinet.com/kb/viewContent.do?externalId=FD41389&sliceId=1
Configuration
HQ:
1. Configure IP addresses on tunnel interfaces for health checks and iBGP peerings:
config system interface
edit "port1_p1"
set ip 1.1.1.1 255.255.255.255
set remote-ip 1.1.1.2 255.255.255.255
next
edit "port2_p1"
set ip 2.2.2.1 255.255.255.255
set remote-ip 2.2.2.2 255.255.255.255
next
end
2 of 13 2/10/2020, 12:44 PM
Technical Note: How to use BGP and SD-WAN for advertising routes an... https://kb.fortinet.com/kb/viewContent.do?externalId=FD41389&sliceId=1
edit "PingGoogle"
set server "8.8.8.8"
set members 1 2
config sla
edit 1
next
end
next
edit "PingBR"
set server "10.119.2.36"
set members 3 4
config sla
edit 1
next
end
next
end
end
4. Configure prefix-lists, route-map and BGP in order to set the BGP communities on the
advertised routes:
config router prefix-list
edit "HQ_LAN_1"
config rule
edit 1
set prefix 10.118.0.0 255.255.240.0
unset ge
unset le
next
end
next
edit "HQ_LAN_2"
config rule
edit 1
set prefix 10.111.0.0 255.255.240.0
unset ge
unset le
next
end
next
end
3 of 13 2/10/2020, 12:44 PM
Technical Note: How to use BGP and SD-WAN for advertising routes an... https://kb.fortinet.com/kb/viewContent.do?externalId=FD41389&sliceId=1
5. Configure community-lists, route-map and BGP in order to set the route-tag depending on
the received BGP community:
config router community-list
edit "Branch_LAN"
config rule
edit 1
set action permit
set match "2:1"
next
end
next
end
config router route-map
edit "Community_to_tag"
config rule
edit 1
set match-community "Branch_LAN"
set set-route-tag 21
next
edit 2
next
end
next
end
4 of 13 2/10/2020, 12:44 PM
Technical Note: How to use BGP and SD-WAN for advertising routes an... https://kb.fortinet.com/kb/viewContent.do?externalId=FD41389&sliceId=1
edit "HQ_Subnet_1"
set subnet 10.118.0.0 255.255.240.0
next
edit "HQ_Subnet_2"
set subnet 10.111.0.0 255.255.240.0
next
end
5 of 13 2/10/2020, 12:44 PM
Technical Note: How to use BGP and SD-WAN for advertising routes an... https://kb.fortinet.com/kb/viewContent.do?externalId=FD41389&sliceId=1
edit 5
set name "LAN_HQ->BR"
set srcintf "port5" "port6"
set dstintf "virtual-wan-link"
set srcaddr "all"
set dstaddr "Remote_subnet"
set action accept
set schedule "always"
set service "ALL"
next
edit 4
set name "BR->LAN_HQ"
set srcintf "virtual-wan-link"
set dstintf "port5"
set srcaddr "Remote_subnet" "Tunnel_port1" "Tunnel_port2"
set dstaddr "HQ_Subnet_1"
set action accept
set schedule "always"
set service "ALL"
next
edit 7
set name "BR->LAN_HQ_2"
set srcintf "virtual-wan-link"
set dstintf "port6"
set srcaddr "Remote_subnet"
set dstaddr "HQ_Subnet_2"
set action accept
set schedule "always"
set service "ALL"
next
edit 3
set name "LAN_HQ->Internet"
set srcintf "port5" "port6"
set dstintf "virtual-wan-link"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set logtraffic all
set av-profile "default"
set webfilter-profile "monitor-all"
set ips-sensor "default"
set application-list "default"
set profile-protocol-options "default"
set ssl-ssh-profile "certificate-inspection"
set nat enable
next
edit 6
set name "BR->Internet"
set srcintf "virtual-wan-link"
set dstintf "virtual-wan-link"
set srcaddr "Remote_subnet"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set av-profile "default"
set webfilter-profile "monitor-all"
set ips-sensor "default"
set application-list "default"
set profile-protocol-options "default"
set ssl-ssh-profile "certificate-inspection"
6 of 13 2/10/2020, 12:44 PM
Technical Note: How to use BGP and SD-WAN for advertising routes an... https://kb.fortinet.com/kb/viewContent.do?externalId=FD41389&sliceId=1
Branch:
4. Configure prefix-lists, route-map and BGP in order to set the BGP communities on the
advertised routes:
config router prefix-list
edit "Branch_LAN"
config rule
edit 1
set prefix 10.119.0.0 255.255.240.0
unset ge
unset le
next
end
next
7 of 13 2/10/2020, 12:44 PM
Technical Note: How to use BGP and SD-WAN for advertising routes an... https://kb.fortinet.com/kb/viewContent.do?externalId=FD41389&sliceId=1
end
5. Configure community-lists, route-map and BGP in order to set the route-tag depending on
the received BGP community:
config router community-list
edit "HQ_LAN_1"
config rule
edit 1
set action permit
set match "1:1"
next
end
next
edit "HQ_LAN_2"
config rule
edit 1
set action permit
set match "1:2"
next
end
next
end
8 of 13 2/10/2020, 12:44 PM
Technical Note: How to use BGP and SD-WAN for advertising routes an... https://kb.fortinet.com/kb/viewContent.do?externalId=FD41389&sliceId=1
next
edit 3
next
end
next
end
7. The default route points the virtual-wan-link (SD-WAN) interface. Routes toward the remote
VPN gateway are added on wan1 in order to establish the VPN tunnels:
config router static
edit 2
set dst 172.31.195.5 255.255.255.255
set gateway 10.5.31.254
set device "wan1"
next
edit 3
set dst 172.31.131.5 255.255.255.255
set gateway 10.5.31.254
set device "wan1"
next
edit 4
set distance 1
set virtual-wan-link enable
next
end
9 of 13 2/10/2020, 12:44 PM
Technical Note: How to use BGP and SD-WAN for advertising routes an... https://kb.fortinet.com/kb/viewContent.do?externalId=FD41389&sliceId=1
8. 2 Firewall policies are created on SD-WAN interface to allow the traffic as follows:
Verification
HQ:
Local
2.2.2.2 from 2.2.2.2 (10.119.2.36)
Origin IGP metric 0, localpref 100, valid, internal
Community: 2:1
Last update: Mon Apr 16 09:50:39 2018
10 of 13 2/10/2020, 12:44 PM
Technical Note: How to use BGP and SD-WAN for advertising routes an... https://kb.fortinet.com/kb/viewContent.do?externalId=FD41389&sliceId=1
11 of 13 2/10/2020, 12:44 PM
Technical Note: How to use BGP and SD-WAN for advertising routes an... https://kb.fortinet.com/kb/viewContent.do?externalId=FD41389&sliceId=1
Branch:
Local
2.2.2.1 from 2.2.2.1 (10.10.10.10)
Origin IGP metric 0, localpref 100, valid, internal
Community: 1:1
Last update: Mon Apr 16 09:21:31 2018
Local
2.2.2.1 from 2.2.2.1 (10.10.10.10)
Origin IGP metric 0, localpref 100, valid, internal
Community: 1:2
Last update: Mon Apr 16 09:21:31 2018
12 of 13 2/10/2020, 12:44 PM
Technical Note: How to use BGP and SD-WAN for advertising routes an... https://kb.fortinet.com/kb/viewContent.do?externalId=FD41389&sliceId=1
Related Articles
Technical Note: Configure FortiGate SD-WAN with an IPSEC VPN
13 of 13 2/10/2020, 12:44 PM