To create access list to block Peer 1 – CLI
config access-list edit “block_peer1”
config rule edit 1
set prefix 172.21.111.0 255.255.255.0 set action deny
set exact-match enable end
end end
To configure BGP on the FortiGate unit – CLI
config router bgp set as 65001
set router-id 10.11.201.110 config redistribute ospf
set status enable end
config neighbor edit 172.22.222.5
set remote-as 65001
set distribute-list-out “block_peer1” next
edit 172.21.111.5
set remote-as 65001 end
end
Configuring the FortiGate unit – OSPF
This configuration involves only one OSPF Area, so all traffic will be intra-area. If there were two or more areas with traffic going between them it would be inter-area traffic. These two types are comparable to BGP’s traffic within one AS (iBGP) or between multiple ASes (eBPG). Redistributing routes from OSPF to BGP is considered external because either the start or end point is a different routing protocol.
The OSPF configuration is basic apart from redistributing BGP routes learned.
To configure OSPF on the FortiGate unit – web-based manager
1. Go to Router > Dynamic > OSPF.
2. For Router ID enter 11.201.110 and then select Apply.
3. Under Advanced Options > Redistribute, select BGP and set the BGP Metric to 1.
4. For Areas, select Create New, enter the following information and then select OK.
Area (IP) 0.0.0.0
Type Regular
Authentication None
5. For Networks, select Create New.
6. Enter 10.11.201.0/255.255.255.0 for IP/Netmask, and select OK.
7. For Interfaces, select Create New.
8. Enter OSPF_dmz_network for Name.
9. Select port1(dmz) for Interface, and then select OK.
To configure OSPF on the FortiGate unit – CLI
config router ospf
set router-id 10.11.201.110 config area
edit 0.0.0.0
set type regular
set authentication none end
config network edit 1
set area 0.0.0.0
set prefix 10.11.201.0 255.255.255.0 end
config interface
edit “OSPF_dmz_network”
set interface port1(dmz)
set status enable end
config redistribute bgp set status enable
set metric 1 end
end
Configuring other networking devices
As with all BGP configurations, the peer routers will need to be updated with the FortiGate unit’s BGP information including IP address, AS number, and what capabilities are being used such as IPv6, graceful restart, BFD, and so on.
Hi Mike,
if i configure the following on fortigate1:
config router bgp
set as 65000
set router-id 10.2.2.254
config neighbor
edit “10.2.2.253”
set next-hop-self enable
set remote-as 65000
set send-community6 disable
next
config redistribute “static”
set status enable
end
fortigate2 should get the default route 0.0.0.0 0.0.0.0 from fortigate1 as it is static ?
how can i redistribute the default route(fortigate1) to fortigate2 ?
thanks
regards
There is a really good KB article that explains how to do this. You can find it here
If you want to redistribute static routes you would enable the following
config router bgp
config redistribute static
set status enable
end
end
An example of the config would be like this
config router prefix-list
edit “only_dflt”
config rule
edit 1
set prefix 0.0.0.0 0.0.0.0
unset ge
unset le
next
end
next
end
config router route-map
edit “only_default_route”
config rule
edit 1
set match-ip-address “only_dflt”
next
end
next
end
config router bgp
set as 2
config neighbor
edit 10.142.0.110
set remote-as 1
set route-map-in “only_default_route”
next
end
set router-id 10.142.0.205
end
Let me know if this helped answer your question!
Thanks!
Hi,
thanks for the link and example, got it working!
Regards
Awesome to hear Piccolo!
config router bgp
set as 65041
set router-id 162.53.156.138
config neighbor
edit “10.104.55.1”
set ebgp-enforce-multihop enable
set soft-reconfiguration enable
set remote-as 64699
set send-community6 disable
next
edit “10.104.55.2”
set ebgp-enforce-multihop enable
set soft-reconfiguration enable
set remote-as 64699
set send-community6 disable
next
i am trying to accomplish above but i can see only one neighbour is establish and other is in ACTIVE state…
So you see both neighbors but only one is active?