FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff
Article Id 192135
Purpose
This article provides a BGP configuration example to prevent a FortiGate from redistributing BGP routes to a specific peer.
Scope
  • FortiGate or VDOM in NAT mode
  • Example given for FortiOS 4.0 and above

Diagram
The following diagram illustrates this example :

rmetzger_bgp_1.jpg

Expectations, Requirements

Example 1 :

  • FGT2 must not redistribute any BGP routes to FGT3, while there must be no impact on the other FortiGate
  • FGT1 is announcing in BGP the following routes :
    • 10.10.10.0/24   
    • 10.160.0.0/23   
    • 172.31.224.0/23 
  • FGT3 is announcing in BGP the following routes :
    • 10.158.0.0/23   
    • 192.168.182.0/23
  • FGT4 is announcing in BGP the following routes :
    • 10.161.0.0/23  
    • 10.162.0.0/23  

Example 2 :

  • FGT2 must advertise to FGT1 and FGT4 only its local subnet 192.168.182.0/23
  • FGT2 must not re-advertise to FGT1 the routes advertised by FGT4, and to FGT4 the routes advertised by FGT1

Configuration

Configuration for example 1


This will be achieved by configuring an access-list and a route-map-out on Fortigate 2 (FGT2) .

Only relevant parts of FortiGate 2 (FGT2) are provided in CLI format :

config router access-list
    edit "match_all_routes"
            config rule
                edit 1
                    set action deny
                    set exact-match disable
                next
            end
    next
end


config router route-map
    edit "route_map_out_deny_all"
            config rule
                edit 1
                    set action deny
                    set match-ip-address "match_all_routes"
                next
            end
    next
end


config router bgp
    set as 65110
        config neighbor
            edit "172.31.224.136"
                set remote-as 65136
            next
            edit "192.168.182.78"
                set remote-as 65078
                set route-map-out "route_map_out_deny_all"
            next
            edit "172.31.224.66"
                set remote-as 65066
            next
        end
    set router-id 172.31.224.110
end



Configuration for example 2



config router access-list
   edit "only_local_subnet"
    config rule
      edit 1
        set action permit
        set prefix 192.168.182.0 255.255.254.0
        set exact-match enable
    next
     edit 2
       set action deny
       set prefix any
       set exact-match disable
    next
   end
  next
end


config router route-map
    edit "only_local_subnets"
     config rule
      edit 1
      set match-ip-address "only_local_subnets"
    next
   end
  next
end


config router bgp
   config neighbor
     edit "172.31.224.136"
        set remote-as 65136
        set route-map-out "only_local_subnets"
     next
    edit "172.31.224.66"
        set remote-as 65066
        set route-map-out "only_local_subnets"
   next
     edit "192.168.182.78"
        set remote-as 65078
   next
end




Verification

Verification for example 1

Verification before configuring the route map on FGT2 :


FGT1 # get router info routing-table all

S*      0.0.0.0/0 [10/0] via 172.31.225.254, port1
C       10.10.10.0/24 is directly connected, port4
B       10.158.0.0/23 [20/0] via 172.31.224.110, port1, 00:02:54
C       10.160.0.0/23 is directly connected, port2
B       10.161.0.0/23 [20/0] via 172.31.224.66, port1, 00:02:54
B       10.162.0.0/23 [20/0] via 172.31.224.66, port1, 00:02:54
C       172.31.224.0/23 is directly connected, port1
B       192.168.182.0/23 [20/0] via 172.31.224.110, port1, 00:02:54





FGT3 # get router  info routing-table  all

S*      0.0.0.0/0 [10/0] via 192.168.183.254, wan1
B       10.10.10.0/24 [20/0] via 192.168.182.110, wan1, 00:04:07
C       10.158.0.0/23 is directly connected, internal
B       10.160.0.0/23 [20/0] via 192.168.182.110, wan1, 00:04:07
B       10.161.0.0/23 [20/0] via 192.168.182.110, wan1, 00:03:41
B       10.162.0.0/23 [20/0] via 192.168.182.110, wan1, 00:03:41
B       172.31.224.0/23 [20/0] via 192.168.182.110, wan1, 00:04:07
C       192.168.182.0/23 is directly connected, wan1




 

Verifications after configuring the route map on FGT2 :

See below that the routing table of FGT1 has not been altered.

FGT1 # get router info routing-table all

S*      0.0.0.0/0 [10/0] via 172.31.225.254, port1
C       10.10.10.0/24 is directly connected, port4
B       10.158.0.0/23 [20/0] via 172.31.224.110, port1, 00:02:54
C       10.160.0.0/23 is directly connected, port2
B       10.161.0.0/23 [20/0] via 172.31.224.66, port1, 00:02:54
B       10.162.0.0/23 [20/0] via 172.31.224.66, port1, 00:02:54
C       172.31.224.0/23 is directly connected, port1
B       192.168.182.0/23 [20/0] via 172.31.224.110, port1, 00:02:54





FGT3 # get router  info routing-table  all

S*      0.0.0.0/0 [10/0] via 192.168.183.254, wan1
C       10.158.0.0/23 is directly connected, internal
C       192.168.182.0/23 is directly connected, wan1








Related Articles

Technical Note : BGP configuration example to prevent a FortiGate from redistributing BGP routes lea...

Contributors