Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
and There is no UDR in Azure.
Configuring BGP with Dual ISP on Fortinet Firewall in Azure Active-Passive Mode
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 14.000000000000002%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPS%3C/text%3E%3C/svg%3E)
Preetham Singh
5
Reputation points
Hi Team,
Having two ISPs terminating at a single Fortinet firewall, VPN connections to the Fortinet have been established using both ISP IPs, and BGP is enabled. However, routes from Azure are not appearing in the Fortigate. The Virtual Network Gateway (VNG) has been set to Active-Passive mode.
What steps can be taken to resolve this issue? and how failover will takesplace.
Azure Firewall
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 42%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPR%3C/text%3E%3C/svg%3E)
Priya ranjan Jena 1,990 Reputation points Microsoft External Staff Moderator2025-09-18T01:36:59.6666667+00:00 Hi Preetham Singh,,
If you find this comment helpful, please “up-vote” for the information provided , this can be beneficial to community members.
Thanks
-
Priya ranjan Jena 1,990 Reputation points Microsoft External Staff Moderator
2025-09-19T03:50:30.91+00:00 Hi Preetham Singh,,
If you find my above comment helpful, please “up-vote” for the information provided , this can be beneficial to community members.
Thanks
Sign in to comment
2 answers
Sort by: Most helpful
-
-
Priya ranjan Jena 1,990 Reputation points Microsoft External Staff Moderator
2025-09-17T08:30:22.5533333+00:00 Hi Preetham Singh,
Thank you for reaching out on Microsoft Q&A forum.
You can follow the below steps to understand better & make it work.
BGP Peering Configuration
In Active-Passive mode, only one Azure VPN Gateway instance is active at a time. If FortiGate is trying to peer with both IPs simultaneously, the passive gateway will not respond, causing BGP to fail.
Ensure that the BGP router ID on the FortiGate is correctly set to the local gateway IP, and the BGP peer IP is set to the remote Azure VPN Gateway IP
- Tunnel Interface IPs
FortiGate requires
ipandremote-ipsettings on the tunnel interface to establish BGP neighborship, without these, BGP won't initiate a TCP session.- Route Advertisement from Azure
Azure VNG in Active-Passive mode only advertises routes from the active instance. If FortiGate is not peering with the active IP, it won’t receive routes.
Please confirm that FortiGate is peering with the active gateway IP and that Azure is advertising the correct prefixes.
Use
Get-AzVirtualNetworkGatewayAdvertisedRoutesto confirm what Azure is sending.- Routing Table Visibility
Check the effective routes on the NIC of the Azure VM. Sometimes, the route table doesn’t show VPN Gateway as the next hop, but in NIC shows.
- Secure Hub Limitations
If you're using Azure Virtual WAN with a Secure Hub, BGP peering is not supported in Secure Hubs. Ensure you're using a standard hub if BGP peering is required.
6.Monitoring and Diagnostics: Use Azure Monitor and Azure diagnostics logs to track BGP status and any potential errors that could hint at what might be going wrong.
Reference link : https://learn.microsoft.com/en-us/azure/vpn-gateway/bgp-howto
Failover behavior In Active-Passive mode:
- Only one VPN Gateway instance is active at a time.
- If the active instance fails, Azure automatically promotes the passive instance.
- FortiGate must detect the failure and re-establish the BGP session with the new active IP.
If you find this comment helpful, please “up-vote” for the information provided , this can be beneficial to community members.
Kindly let us know if you have any additional questions
Thanks