Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=routing-BGP

BGP

You can configure IPv4 and IPv6 BGP routes.

Border Gateway Protocol (BGP) is a path vector protocol that contains path information. It enables the routers to share routing information between autonomous systems (AS) so that loop-free routes can be created. ISPs generally use this protocol.

An AS is a connected group of networks or routers under the control of a single administrative entity. They share common routing policies. A unique AS number is assigned to each AS to identify them uniquely. The AS number enables information exchange between neighboring autonomous systems. You must use private AS numbers if you don't require a unique AS number. BGP private AS numbers range from 64512 to 65535.

Sophos Firewall supports internal and external border gateway protocols (iBGP and eBGP).

BGP selects a single path from the multiple advertisements received from multiple sources for the same route. When the path is selected, BGP puts it in the IP routing table and passes it to its neighbor.

Global configuration

Router ID assignment

Specify whether you want the router ID assignment to be Automatic or Manual.

If you select Automatic, the firewall automatically selects the highest IP address of all the configured interfaces as the router ID. This may reset the BGP sessions.

If you select Manual, you must specify a Router ID.

Router ID

Specify a router ID for BGP.

Example

12.34.5.66

Local AS

Enter the local autonomous system (AS) number.

Acceptable range: 1 to 4294967295

Neighbors

Neighbors are the routers between which a TCP connection is established. You can add, update, or delete IPv4 and IPv6 neighbors.

Networks

You can see the available BGP networks with the corresponding netmasks and prefixes. You can add, update, or delete IPv4 and IPv6 networks.

Allow access

You must configure the following:

  1. Allow dynamic routing: By default, dynamic routing is turned off. To turn it on, go to Administration > Device access and select the neighbors' zones for which you want to allow dynamic routing.
  2. Allow traffic: You must configure firewall rules to allow outbound and inbound traffic.

More resources