Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=CLI-route-configuration-BGP-steps

Configure BGP

Learn how to configure Border Gateway Protocol (BGP) on the firewall using the CLI, including how to define networks and manage routing updates.

The firewall supports BGP when it's deployed in gateway mode, allowing it to advertise its routing table, learn routes from neighboring autonomous systems (AS), and automatically determine the best path to destination networks.

Configure BGP networks and neighbors

  1. To enter the BGP configuration mode, enter the following options:

    1. For Route configuration: 3
    2. For Configure unicast routing: 1
    3. For Configure BGP: 3

    You'll see the following prompt: bgp>

  2. Open BGP configuration: bgp>enable

  3. Open the router configuration for related details: bgp#configure terminal

  4. Enter the BGP router configuration mode:

    bgp(config)#router bgp <AS number>

    Note

    If you haven't already assigned an AS number, the command assigns the number you enter.

  5. (Optional) Manually configure the router ID.

    bgp(config-router)# bgp router-id <ip address format>

    Enter the ID in the IPv4 address format, for example, 1.1.1.1. It doesn't need to be a valid IP address.

    By default, the firewall automatically selects the highest IP address of all the configured interfaces as the router ID.

    Note

    If you change the router ID, the firewall resets all BGP sessions.

  6. To configure a network, do as follows:

    1. Specify the network's IP version using one of the following commands:

      • bgp(config-router)#address-family ipv4 unicast
      • bgp(config-router)#address-family ipv6 unicast

      Note

      To change the IP version, exit the address family mode (exit), then enter the IP version command you want.

    2. Enter an IPv4 or IPv6 network:

      • IPv4: bgp(config-router-af)#network <ipv4 address>/<subnet mask>
      • IPv6: bgp(config-router-af)#network <ipv6 address>/<prefix>
      Example

      network 10.10.10.0/24

      network 2008:DB9::/32

    3. (Optional) Don't advertise IPv4 networks to IPv6 neighbors:

      1. bgp(config-router)#address-family ipv4 unicast
      2. bgp(config-router-af)#no neighbor <ipv6 address> activate

      Note

      By default, the firewall advertises IPv4 networks to all neighbors. Enter the command to make sure these aren't advertised to IPv6 neighbors when you configure an IPv6 neighbor on the CLI.

      For web admin console configurations, the firewall automatically adds this command to IPv4 networks.

    4. Advertise IPv6 networks to IPv6 neighbors:

      1. bgp(config-router-af)#exit (If you're in IPv4 mode.)
      2. bgp(config-router)#address-family ipv6 unicast
      3. bgp(config-router-af)#neighbor <ipv6 address> activate

      Note

      By default, the firewall doesn't advertise IPv6 networks to any neighbors. Enter the command to advertise these to IPv6 neighbors when you configure an IPv6 neighbor on the CLI.

      For web admin console configurations, the firewall automatically adds this command to IPv6 networks.

    5. Exit the address family mode: exit

  7. To configure a neighbor, enter the neighbor's IPv4 or IPv6 address and AS number:

    bgp(config-router)#neighbor <ip address> remote-as <neighbor's AS number>

  8. Check the configuration: bgp(config-router)#show running-config

    If you've used automatic router ID assignment on the web admin console, the ID isn't shown with this command.

  9. Save the configuration: bgp(config-router)#write

    Note

    You must run the write command to save route configurations made through the CLI so they reflect on the web admin console and persist on a firewall or daemon restart.

  10. Exit router configuration mode: bgp(config-router)#end

  11. Exit BGP configuration mode: bgp#exit

Default settings

When you configure BGP from the web admin console, the firewall automatically applies these default settings.

  • To implement these settings when you configure BGP on the CLI, you must enter the commands.
  • When you apply the Global configuration settings on the web admin console, the firewall removes your changes to the following default settings: bgp log-neighbor-changes and no bgp ebgp-requires-policy.
  • The firewall only shows custom values when you run the show running-config command. For example, it doesn't show the maximum-paths ibgp value if it's set to the default value of 16.

Commands

Commands Description

bgp(config-router)#

no bgp ebgp-requires-policy

 The command removes the need for BGP route policies to learn and advertise BGP routes.

bgp(config-router)#

bgp log-neighbor-changes

 The firewall logs a message when a neighbour becomes available or unavailable.
no neighbor <ipv6 address> activate Stops advertising IPv4 networks to IPv6 neighbors.
neighbor <ipv6 address> activate Advertises IPv6 networks to IPv6 neighbors.