FortiGate2 BGP GUI configuration:FortiGate2 CLI configuration to deny 10.10.30.0/24 network and allow any other network.Access-list:# showRoute-map:
# config router access-list
edit "BLOCK_10.10.30.0/24"
config rule
edit 1
set prefix 10.10.30.0 255.255.255.0
set exact-match enable
next
end
next
edit "ALLOW_OTHER"
config rule
edit 1
set prefix any
set exact-match enable
next
end
next
end# config router router-mapshow# config route route-mapedit "BLOCK_10.10.30.0/24"config ruleedit 1set action denyset match-ip-address "BLOCK_10.10.30.0/24"nextedit 2set match-ip-address "ALLOW_OTHER"nextendThen assign that route-map to the route-map-in of the FortiGate2 neighbor configuration# config router bgp# config neighboredit 192.168.175.230endshow# config router bgpset as 20set router-id 192.168.175.231# config neighboredit "192.168.175.230"set remote-as 10set route-map-in "BLOCK_10.10.30.0/24"nextend# config redistribute "connected"end# config redistribute "rip"end# config redistribute "ospf"end# config redistribute "static"end# config redistribute "isis"end# config redistribute "connected"end# config redistribute "rip"end# config redistribute "ospf"end# config redistribute "static"end# config redistribute "isis"endendClear the BGP peering using this command for the route-map access-list to take effect:# exec router clear bgp as 10 <------------ because the AS on FortiGate1 is set to 10.or# exec router clear bgp all
Troubleshooting
To confirm that it is already being block, run these commands:# diag ip router bgp all enNote: to stop the debugging of the BGP, run these commands:
# diag ip router bgp level info
# diag debug en# diag debug disableHere is the sample result:
# diag ip router bgp all disable
# diag ip router bgp level none# BGP: [NETWORK] Accept Thread: Incoming conn from host 192.168.175.230 (FD=24)To make sure that the route 10.10.30.0/24 is not installed on the routing table of FortiGate2, run this command:
BGP: 192.168.175.230-Outgoing [FSM] State: Idle Event: 14
BGP: 192.168.175.230-Outgoing [FSM] State: Idle Event: 3
BGP: 192.168.175.230-Outgoing [NETWORK] FD=24, Sock Status: 0-Success
BGP: 192.168.175.230-Outgoing [FSM] State: Connect Event: 17
BGP: 192.168.175.230-Outgoing [ENCODE] Msg-Hdr: Type 1
BGP: 192.168.175.230-Outgoing [ENCODE] Open: Ver 4 MyAS 20 Holdtime 180
BGP: 192.168.175.230-Outgoing [ENCODE] Open: Msg-Size 61
BGP: 192.168.175.230-Outgoing [DECODE] Msg-Hdr: type 1, length 61
BGP: 192.168.175.230-Outgoing [DECODE] Open: Optional param len 32
BGP: 192.168.175.230-Outgoing [DECODE] Open Opt: Option Type 2, Option Len 6
BGP: 192.168.175.230-Outgoing [DECODE] Open Cap: Cap Code 1, Cap Len 4
BGP: 192.168.175.230-Outgoing [DECODE] Open Opt: Option Type 2, Option Len 6
BGP: 192.168.175.230-Outgoing [DECODE] Open Cap: Cap Code 1, Cap Len 4
BGP: 192.168.175.230-Outgoing [DECODE] Open Opt: Option Type 2, Option Len 2
BGP: 192.168.175.230-Outgoing [DECODE] Open Cap: Cap Code 128, Cap Len 0
BGP: 192.168.175.230-Outgoing [DECODE] Open Cap: RR Cap(old) for all address-families
BGP: 192.168.175.230-Outgoing [DECODE] Open Opt: Option Type 2, Option Len 2
BGP: 192.168.175.230-Outgoing [DECODE] Open Cap: Cap Code 2, Cap Len 0
BGP: 192.168.175.230-Outgoing [DECODE] Open Cap: RR Cap(new) for all address-families
BGP: 192.168.175.230-Outgoing [DECODE] Open Opt: Option Type 2, Option Len 6
BGP: 192.168.175.230-Outgoing [DECODE] Open Cap: Cap Code 65, Cap Len 4
BGP: 192.168.175.230-Outgoing [FSM] State: OpenSent Event: 19
BGP: 192.168.175.230-Outgoing [ENCODE] Msg-Hdr: Type 4
BGP: 192.168.175.230-Outgoing [ENCODE] Keepalive: 28 KAlive msg(s) sent
BGP: bgp_keepalive_proc: notif_rcv 4-4
BGP: 192.168.175.230-Outgoing [DECODE] Msg-Hdr: type 4, length 19
BGP: 192.168.175.230-Outgoing [DECODE] KAlive: Received!
BGP: 192.168.175.230-Outgoing [FSM] State: OpenConfirm Event: 26
id=20300 logdesc="BGP neighbor status changed" msg="BGP: %BGP-5-ADJCHANGE: neighbor 192.168.175.230 Up "
BGP: 192.168.175.230-Outgoing [DECODE] Msg-Hdr: type 2, length 55
BGP: 192.168.175.230-Outgoing [DECODE] Update: Starting UPDATE decoding... Bytes To Read (36), msg_size (36)
BGP: 192.168.175.230-Outgoing [DECODE] Update: NLRI Len(12)
BGP: 192.168.175.230-Outgoing [FSM] State: Established Event: 27
BGP: 192.168.175.230-Outgoing [RIB] Update: Received Prefix 10.10.10.0/24
BGP: 192.168.175.230-Outgoing [RIB] Update: Prefix 10.10.30.0/24 denied due to route-map
BGP: 192.168.175.230-Outgoing [RIB] Update: Received Prefix 10.10.20.0/24
BGP: 192.168.175.230-Outgoing [FSM] State: Established Event: 34
BGP: [RIB] Scanning BGP Network Routes...# get router info routing-table allHere is the result of this lab:# get router info routing-table all
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
B 10.10.10.0/24 [20/0] via 192.168.175.230, port1, 00:01:19
B 10.10.20.0/24 [20/0] via 192.168.175.230, port1, 00:01:19
C 192.168.175.0/24 is directly connected, port1
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.