To add the security policies – CLI
config firewall policy edit 1
set srcintf “port1”
set srcaddr “Internal_network” set dstintf “ISPs”
set dstaddr “all”
set schedule “always”
set service “Basic_services” set action accept
set nat enable
set profile-status enable set logtraffic enable
set comments “ISP1 basic services out policy” next
edit 2
set srcintf “ISPs” set srcaddr “all” set dstintf “port1”
set dstaddr “Internal_network” set schedule “always”
set service “Basic_services” set action accept
set nat enable
set profile-status enable set logtraffic enable
set comments “ISP1 basic services in policy” next
end
Set the FortiGate BGP information
When using the default information, there are only two fields to set to configure the FortiGate unit as a BGP router.
For this configuration the FortiGate unit will be in a stub area with one route out — the ISP BGP router. Until you configure the ISP router as a neighbor, even that route out is not available. So while after this part of the configuration is complete your FortiGate unit will be running BGP, it won’t know about any other routers running BGP until the next part of the configuration is complete.
To set the BGP router information – web-based mananger
1. Go to Router > Dynamic > BGP.
2. Set the following information, and select OK.
Local As 1
Router ID 10.11.101.110
To set the BGP router information – CLI
config router BGP
set as 1
set router-id 10.11.101.110 end
Add the internal network to the AS
The Company is one AS with the FortiGate unit configured as the BGP border router connecting that AS to the two ISPs ASes. The internal network in the Company’s AS must be defined. If there were other networks in the company such as regional offices, they would be added here as well.
To set the networks in the AS – web-based manager
1. Go to Router > Dynamic > BGP.
2. In Networks, next to IP/Netmask, set the following information and select Add.
IP/Netmask 10.11.101.0/255.255.255.0
Hi Mike,
if i configure the following on fortigate1:
config router bgp
set as 65000
set router-id 10.2.2.254
config neighbor
edit “10.2.2.253”
set next-hop-self enable
set remote-as 65000
set send-community6 disable
next
config redistribute “static”
set status enable
end
fortigate2 should get the default route 0.0.0.0 0.0.0.0 from fortigate1 as it is static ?
how can i redistribute the default route(fortigate1) to fortigate2 ?
thanks
regards
There is a really good KB article that explains how to do this. You can find it here
If you want to redistribute static routes you would enable the following
config router bgp
config redistribute static
set status enable
end
end
An example of the config would be like this
config router prefix-list
edit “only_dflt”
config rule
edit 1
set prefix 0.0.0.0 0.0.0.0
unset ge
unset le
next
end
next
end
config router route-map
edit “only_default_route”
config rule
edit 1
set match-ip-address “only_dflt”
next
end
next
end
config router bgp
set as 2
config neighbor
edit 10.142.0.110
set remote-as 1
set route-map-in “only_default_route”
next
end
set router-id 10.142.0.205
end
Let me know if this helped answer your question!
Thanks!
Hi,
thanks for the link and example, got it working!
Regards
Awesome to hear Piccolo!
config router bgp
set as 65041
set router-id 162.53.156.138
config neighbor
edit “10.104.55.1”
set ebgp-enforce-multihop enable
set soft-reconfiguration enable
set remote-as 64699
set send-community6 disable
next
edit “10.104.55.2”
set ebgp-enforce-multihop enable
set soft-reconfiguration enable
set remote-as 64699
set send-community6 disable
next
i am trying to accomplish above but i can see only one neighbour is establish and other is in ACTIVE state…
So you see both neighbors but only one is active?