Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=routing-BGP

BGP

Learn how to configure BGP on the firewall, including setting the Router ID, defining the local AS number, and configuring IPv4 and IPv6 neighbors and networks.

The firewall supports the Internal Gateway Protocol (iBGP) and the External Border Gateway Protocol (eBGP). To use BGP, you must turn on dynamic routing for device access and create firewall rules to allow inbound and outbound BGP traffic.

BGP concepts

Border Gateway Protocol (BGP) is a path vector protocol that contains path information. It enables the routers to share routing information between autonomous systems (AS) so that loop-free routes can be created. ISPs generally use this protocol.

An AS is a connected group of networks or routers under the control of a single administrative entity. They share common routing policies. A unique AS number is assigned to each AS to identify them uniquely. The AS number enables information exchange between neighboring autonomous systems. You must use private AS numbers if you don't require a unique AS number. BGP private AS numbers range from 64512 to 65535.

BGP selects a single path from the multiple advertisements received from multiple sources for the same route. When the path is selected, BGP puts it in the IP routing table and passes it to its neighbor.

Global configuration

Specify the following global settings:

  1. Under Router ID assignment, click one of the following options:

    • Automatic: The firewall automatically selects the highest IP address of all the configured interfaces as the router ID. This may reset the BGP sessions.
    • Manual: You must specify a Router ID.

  2. Enter a Router ID, for example, 12.34.5.66.

    Note

    If you change the router ID, the firewall resets all BGP sessions.

  3. Under Local AS, enter the local autonomous system (AS) number.

    Acceptable values: 1 to 4294967295

    Note

    If you change the local AS value, the firewall deletes all configured neighbors and networks.

  4. Click Apply.

    Note

    When you apply the Global configuration settings on the web admin console, the firewall removes your changes to the following default settings: bgp log-neighbor-changes and no bgp ebgp-requires-policy.

Neighbors

Neighbors are the routers between which a TCP connection is established. You can add, edit, or delete IPv4 and IPv6 neighbors.

Networks

You can see the available BGP networks with the corresponding netmasks and prefixes. You can add, update, or delete IPv4 and IPv6 networks.

Allow access

You must allow access as follows:

  1. Allow dynamic routing: By default, dynamic routing is turned off. To turn it on, go to Administration > Device access and select the neighbors' zones for which you want to allow dynamic routing.
  2. Allow traffic: You must configure firewall rules to allow outbound and inbound traffic.