BGP Basics

BGP (Border Gateway Protocol) is what the internet uses to share routes between organizations. On a FortiGate, you'd run BGP to:

• Peer with an ISP that offers BGP (for multi-homed internet with your own AS).
• Peer with a cloud provider (AWS Direct Connect, Azure ExpressRoute) for hybrid network routing.
• Peer with another organization's edge router (e.g. between datacenters).

BGP is overkill for small networks — if you only have one ISP and one internal network, use static routes. BGP only makes sense when you control routing decisions at the edge.

Concepts (Quick)

• AS (Autonomous System) — your organization's routing domain, identified by an AS number (e.g. 65001 for private, 14618 for AWS).
• eBGP — peering between different ASes (typical with ISPs/clouds).
• iBGP — peering within the same AS (your own routers).
• Neighbor — the peer you exchange routes with. Identified by IP and remote AS number.
• Advertised networks — which of your networks you tell the neighbor about.

Before You Start

• You know your AS number (or use a private one in the 64512-65534 range for internal-only).
• You know the neighbor's IP and AS number.
• BGP TCP/179 is reachable to the neighbor (firewall policy + interface admin access).
• The networks you'll advertise are decided.

Steps

1. Network → BGP (may need to enable via System → Feature Visibility → BGP).
2. BGP Settings:
   • Local AS — your AS number (e.g. 65001).
   • Router ID — e.g. 1.1.1.1. Unique per BGP speaker.
3. Neighbors → + Create New:
   • IP — neighbor's IP, e.g. 203.0.113.1.
   • Remote AS — neighbor's AS number.
   • Description — e.g. ISP-A primary peer.
   • Multihop — Disabled typically. Enable for indirect neighbors (loopback peering).
   • Soft Reconfiguration — Enabled (lets you tweak inbound policy without resetting the session).
   • Update Source — interface or IP to source the BGP session from.
4. Networks → + Create New:
   • IP/Netmask — the subnets you're willing to advertise to the neighbor.
5. Route Reflector / Confederation — only for larger iBGP designs.
6. Apply.

CLI Equivalent

config router bgp
    set as 65001
    set router-id 1.1.1.1
    config neighbor
        edit "203.0.113.1"
            set remote-as 14618
            set description "AWS Direct Connect"
            set soft-reconfiguration enable
        next
    end
    config network
        edit 1
            set prefix 10.0.0.0 255.255.0.0
        next
    end
end

Verify

# BGP session state — should reach "Established":
get router info bgp summary

# Routes received from neighbor:
get router info bgp neighbor 203.0.113.1 received-routes

# Routes you're advertising:
get router info bgp neighbor 203.0.113.1 advertised-routes

# BGP routes in the routing table:
get router info routing-table bgp

Session states: Idle → Connect → Active → OpenSent → OpenConfirm → Established. Stuck at Active = TCP/179 not reaching neighbor (firewall, ACL, or interface issue).

Common Issues

• Session won't establish. Most often: AS number mismatch, source IP mismatch (neighbor's expecting a different IP), TCP/179 blocked. Check both sides agree on AS and IPs.
• Session Established but no routes. Networks not advertised, or advertised but filtered by route-map. Check advertised-routes from your side and what neighbor expected.
• Too many routes received (full BGP table). Internet full table is ~1M routes. FortiGates have limits. Use prefix-list on the neighbor to accept only what you need (default route + specifics).
• Path selection wrong. BGP path selection considers many attributes (local preference, AS path length, MED, etc.). Adjust via route-maps — beyond a beginner-level config.

Related Pages

• Add a Static Route
• OSPF Basics
• Set Up SD-WAN