FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ckumar_FTNT
Staff
Staff
Article Id 192930

Description
This article provides a prefix-list policy configuration example to control a FortiGate from advertising routes to the BGP peers.

Control the BGP routes using access-list, prefix-list, route-maps (or) combination of (access-list/prefix-list with route-maps).


Solution
For this example, we will use the following topology:



 
 
Assuming that the BGP configuration on peer device acting neighbor is in Established state:
FortiGate CLI configuration to block 10.10.1.0/24 network being advertise and allow any other network.

Create prefix-list policy.

# show router prefix-list
config router prefix-list
    edit "blockrule"
        config rule
            edit 1
                set action deny
                set prefix 10.10.1.0 255.255.255.0
                unset ge
                unset le
            next
            edit 2
                set prefix any
                unset ge
                unset le
            next
        end
    next
end
Now, refer the prefix-list directly in the BGP configuration.

# show router bgp
# config router bgp

    set as 100
    set network-import-check disable
    config neighbor
        edit "10.5.20.160"
            set prefix-list-out "blockrule"     >>>>>
            set remote-as 101
        next
    end
Note.
To control received-routes apply the policy in inbound direction use the command 'set prefix-list-in'.

Results.

Before configuring prefix-list.

# get router info bgp neighbors 10.5.20.160 adv
VRF 0 BGP table version is 3, local router ID is 172.31.135.228
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight RouteTag Path
*> 10.10.1.0/24     10.5.23.228                   100  32768        0 i <-/->
*> 192.168.1.0      10.5.23.228                   100  32768        0 i <-/->
*> 192.168.2.0      10.5.23.228                   100  32768        0 i <-/->
Total number of prefixes 3
After configuring prefix-list.

# get router info bgp neighbors 10.5.20.160 adv
VRF 0 BGP table version is 2, local router ID is 172.31.135.228
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight RouteTag Path
*> 192.168.1.0      10.5.23.228                   100  32768        0 i <-/->
*> 192.168.2.0      10.5.23.228                   100  32768        0 i <-/->
Total number of prefixes 2

 

Related Articles

Technical Tip: FortiGate BGP configuration to announce specific routes and accept only a default rou...

Technical Tip: Create an Access-list on a Route-Map that would deny specific network on a BGP peerin...

Contributors