FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff
Article Id 192864

Description

 

This article describes an example of how to prevent a subnet from being injected into the routing table.

Note that this does not filter OSPF LS updates and has no impact on the LSDB and the LSAs redistribution. It is a filter that acts only on the routing table.

Refer to the related articles for more information and examples.


Scope

 

FortiGate or VDOM operating in NAT mode.


Solution

 
Example 1 : This example will drop network 10.162.106.0/24 only.

Step 1: Configure the prefix list :

 

config router prefix-list

    edit "drop_10.162.106"

        config rule

            edit 1

                set action deny

                set prefix 10.162.106.0 255.255.255.0

                unset ge

                unset le

            next

            edit 2

                set prefix any     (#1) 

                unset ge

                unset le

            next

         end

    next

end

 

Step 2: Configure OSPF to use the prefix-list and a distribute list :

 

config router ospf

    config area

        edit 0.0.0.0

        next

    end

    set distribute-list-in "drop_10.162.106"

end

 

Notes on the prefix-list logic:

  • Rules are parsed from top to bottom.
  • Prefix-list follows a 'stop on match' logic: when a rule has matched (defined by prefix/ge/le), the specified action is used and no further rules are inspected.
  • There is an implicit block rule at the end of the rules list.
  • Keywords 'ge' and 'le' may be used to define a pattern using the prefix as a border (ge = greater or equal to, le = less than or equal to).
  • The keyword 'any' as prefix (#1) can be used as a 'match all' filter.
 
Verification:
 
  1. Before the configuration:
get router info routing all

 

C       10.126.0.0/24 is directly connected, wan2

O E2    10.162.102.0/24 [110/10] via 10.126.0.69, wan2, 00:31:04

O E2    10.162.103.0/24 [110/10] via 10.126.0.69, wan2, 00:31:04

O E2    10.162.104.0/24 [110/10] via 10.126.0.69, wan2, 00:31:04

O E2    10.162.105.0/24 [110/10] via 10.126.0.69, wan2, 00:31:04

O E2    10.162.106.0/24 [110/10] via 10.126.0.69, wan2, 00:31:04

 

  1.         After the configuration:

 
get router info routing all

 

C       10.126.0.0/24 is directly connected, wan2

O E2    10.162.102.0/24 [110/10] via 10.126.0.69, wan2, 00:31:04

O E2    10.162.103.0/24 [110/10] via 10.126.0.69, wan2, 00:31:04

O E2    10.162.104.0/24 [110/10] via 10.126.0.69, wan2, 00:31:04

O E2    10.162.105.0/24 [110/10] via 10.126.0.69, wan2, 00:31:04

 

Extract from the LSDB: this shows that there is NO impact on the LSDB :

 

FGT # get router info ospf database brief
 
[...]
 
As External Link States:
 
Link ID         ADV Router      Age  Seq#       CkSum  Route              Tag

10.162.102.0    0.0.0.69         642 0x80000336 0xc84a E2 10.162.102.0/24 0

10.162.103.0    0.0.0.69        1372 0x800003e4 0x6003 E2 10.162.103.0/24 0

10.162.104.0    0.0.0.69        1412 0x800003e3 0x570c E2 10.162.104.0/24 0

10.162.105.0    0.0.0.69        1332 0x80000336 0xa768 E2 10.162.105.0/24 0

10.162.106.0    0.0.0.69         862 0x80000335 0x9e71 E2 10.162.106.0/24 0

 

 

Example 2 : This will allow subnet 10.0.0.0/8 , 172.0.0.0/8, 192.168.0.0/16 , and drop others

 

Step 1 : Configure the prefix-list

config router prefix-list
edit "AllowCertain"
config rule
edit 1
set prefix 10.0.0.0 254.0.0.0
set ge 8
unset le
next
edit 2
set prefix 172.0.0.0 254.0.0.0
set ge 8
unset le
next
edit 3
set prefix 192.168.0.0 255.254.0.0
set ge 16
unset le
next
edit 4
set action deny
set prefix any
unset ge
unset le
next
end
next
end

 

Step 2 : Apply prefix-list 

config router ospf

set distribute-list-in AllowCertain

 

Result :

 

Before : 

 

get router info routing-table ospf

Routing table for VRF=0
O E2 10.0.0.0/8 [110/10] via 10.200.1.254, port1, 00:00:58
O E2 10.0.0.0/9 [110/10] via 10.200.1.254, port1, 00:07:28
O 10.0.1.0/24 [110/101] via 192.168.1.10, ToVDOM11, 00:07:28
O IA 10.0.2.0/24 [110/102] via 10.200.1.2, port1, 00:07:28
O E2 13.20.0.0/16 [110/10] via 10.200.1.254, port1, 00:07:28
O E2 20.200.10.0/26 [110/10] via 10.200.1.254, port1, 00:07:28
O E2 30.0.0.0/24 [110/10] via 10.200.1.254, port1, 00:07:28
O E2 30.0.0.0/26 [110/10] via 10.200.1.254, port1, 00:07:28
O E2 42.15.0.0/16 [110/10] via 10.200.1.254, port1, 00:07:28
O E2 52.60.1.0/32 [110/10] via 10.200.1.254, port1, 00:07:28
O E2 172.0.0.0/8 [110/10] via 10.200.1.254, port1, 00:07:28
O 172.16.10.3/32 [110/200] via 192.168.1.2, Front0, 00:07:28
O IA 172.16.20.1/32 [110/201] via 10.200.1.2, port1, 00:07:28
O IA 172.16.20.2/32 [110/101] via 10.200.1.2, port1, 00:07:28
O IA 172.16.20.3/32 [110/201] via 10.200.1.2, port1, 00:07:28
O 172.16.20.254/32 [110/101] via 10.200.1.254, port1, 00:07:28
O E2 192.168.0.0/16 [110/10] via 10.200.1.254, port1, 00:07:28
O 192.168.1.16/30 [110/200] via 192.168.1.2, Front0, 00:07:28
[110/200] via 192.168.1.10, ToVDOM11, 00:07:28
O IA 192.168.2.0/30 [110/101] via 10.200.1.2, port1, 00:07:28
O IA 192.168.2.8/30 [110/101] via 10.200.1.2, port1, 00:07:28
O IA 192.168.2.16/30 [110/201] via 10.200.1.2, port1, 00:07:28


After:

 

get router info routing-table ospf

Routing table for VRF=0
O E2 10.0.0.0/8 [110/10] via 10.200.1.254, port1, 00:00:02
O E2 10.0.0.0/9 [110/10] via 10.200.1.254, port1, 00:00:02
O 10.0.1.0/24 [110/101] via 192.168.1.10, ToVDOM11, 00:00:02
O IA 10.0.2.0/24 [110/102] via 10.200.1.2, port1, 00:00:02
O E2 172.0.0.0/8 [110/10] via 10.200.1.254, port1, 00:00:02
O 172.16.10.3/32 [110/200] via 192.168.1.2, Front0, 00:00:02
O IA 172.16.20.1/32 [110/201] via 10.200.1.2, port1, 00:00:02
O IA 172.16.20.2/32 [110/101] via 10.200.1.2, port1, 00:00:02
O IA 172.16.20.3/32 [110/201] via 10.200.1.2, port1, 00:00:02
O 172.16.20.254/32 [110/101] via 10.200.1.254, port1, 00:00:02
O E2 192.168.0.0/16 [110/10] via 10.200.1.254, port1, 00:00:02
O 192.168.1.16/30 [110/200] via 192.168.1.2, Front0, 00:00:02
[110/200] via 192.168.1.10, ToVDOM11, 00:00:02
O IA 192.168.2.0/30 [110/101] via 10.200.1.2, port1, 00:00:02
O IA 192.168.2.8/30 [110/101] via 10.200.1.2, port1, 00:00:02
O IA 192.168.2.16/30 [110/201] via 10.200.1.2, port1, 00:00:02