FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff
Article Id 189725

Purpose
This article gives a configuration example on how to achieve the following with BGP:

- Announce routes in BGP with network prefix or redistribute policies.
- Accept ONLY a default route from a BGP peer.

Scope
FortiGate or VDOM in NAT mode.
Diagram
The following diagram is used to illustrate this example.  The focus for the configuration is on FGT-1.

rmetzger_fd30432_bgp_announce_and_deny.JPG
                                                            except the default route

Expectations, Requirements
The requirement on FGT-1 is:

- Announce 192.168.0.0/21 to the BGP peer FGT_ISP.  For this example,   192.168.0.0/21 is a valid static route on FGT-1 but it could be any type of route.

- Accept only the default route from the BGP peer FGT_ISP and deny all other updates.

Configuration

FGT-1 configuration



Only the relevant parts of configuration are given. For more information about configuring BGP see the related articles.

A - To announce 192.168.0.0/21, there are 2 solutions :

A.1- Based on a redistribute Policy

 
config router bgp
    config redistribute static  << static is used in this example because 192.198.0.0/21 is a
    set status enable              
static route, it must be adapted  to each situation
    end
end
 
This will redistribute all static routes that are effectively present in the routing table.


A.2- Based on network prefix:

config router bgp
   config network
    edit 1
      set prefix 192.168.0.0 255.255.248.0
    next
   end
end
 
With this option and as for the route redistribution policy, the FortiGate will look for an EXACT matching route in the routing table before distributing it.

Note that using the "config network" method will advertise the NLRI with the origin type of incomplete.


B - To accept only the default route the BGP peer FGT_ISP

Create 1) a prefix list to ONLY match the default route , 2) a route map link to this prefix list  , and 3) associate this rpute map to the BGP peer, in ingress


config router prefix-list
    edit "only_dflt"
            config rule
                edit 1
                    set prefix 0.0.0.0 0.0.0.0
                    unset ge
                    unset le
                next
            end
    next
end


config router route-map
    edit "only_default_route"
            config rule
                edit 1
                    set match-ip-address "only_dflt"
                next
            end
    next
end

config router bgp
    set as 2
        config neighbor
            edit 10.142.0.110
                set remote-as 1
                set route-map-in "only_default_route"
            next
        end

    set router-id 10.142.0.205
end


Verification
Verification on FGT-1 before implementing the route map

FGT-1 (bgp) # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

B*      0.0.0.0/0 [20/0] via 10.142.0.110, wan1, 00:02:18
B       1.1.1.1/32 [20/0] via 10.142.0.110, wan1, 00:02:18
S       2.2.2.2/32 [10/0] via 192.168.183.254, wan2
O       10.128.0.0/10 [110/0] is a summary, Null, 00:02:23
C       10.142.0.0/23 is directly connected, wan1
B       10.160.0.0/23 [20/0] via 10.142.0.110, wan1, 00:02:18
C       10.161.0.0/30 is directly connected, Inter-vdom10
C       10.161.0.1/32 is directly connected, Inter-vdom10
C       10.161.0.4/30 is directly connected, Inter-vdom20
C       10.161.0.5/32 is directly connected, Inter-vdom20
B       192.168.0.0/16 [20/0] via 10.142.0.110, wan1, 00:02:18
S       192.168.0.0/21 [10/0] via 10.161.0.2, Inter-vdom10
B       192.168.168.0/24 [20/0] via 10.142.0.110, wan1, 00:02:18
S       192.168.171.0/24 [10/0] via 192.168.183.254, wan2
C       192.168.182.0/23 is directly connected, wan2



Verification on FGT-1 after implementing the route map

FGT-1 (root) # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

B*      0.0.0.0/0 [20/0] via 10.142.0.110, wan1, 00:05:58
S       2.2.2.2/32 [10/0] via 192.168.183.254, wan2
O       10.128.0.0/10 [110/0] is a summary, Null, 00:06:03
C       10.142.0.0/23 is directly connected, wan1
O       10.160.0.0/23 [110/200] via 10.161.0.2, Inter-vdom10, 00:05:39
C       10.161.0.0/30 is directly connected, Inter-vdom10
C       10.161.0.1/32 is directly connected, Inter-vdom10
C       10.161.0.4/30 is directly connected, Inter-vdom20
C       10.161.0.5/32 is directly connected, Inter-vdom20
S       192.168.0.0/21 [10/0] via 10.161.0.2, Inter-vdom10
S       192.168.171.0/24 [10/0] via 192.168.183.254, wan2
C       192.168.182.0/23 is directly connected, wan2



Verification of routes received on FGT_ISP

FGT_ISP (bgp) # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [10/0] via 192.168.183.254, port1
S       1.1.1.1/32 [10/0] via 192.168.183.254, port1
C       10.142.0.0/23 is directly connected, port6
C       10.160.0.0/23 is directly connected, port2
S       192.168.0.0/16 [10/0] via 192.168.183.254, port1
B       192.168.0.0/21 [20/0] via 10.142.0.205, port6, 00:09:01
S       192.168.168.0/24 [10/0] via 192.168.183.254, port1
C       192.168.182.0/23 is directly connected, port1

 

Related Articles

Technical Note: Configuring BGP on a FortiGate with single-homed eBGP peering, iBGP peering, access-...

Technical Note : How to implement BGP route summary (aggregation) on a FortiGate

Technical Note: Static NAT VIP accessible from 2 external interfaces with E-BGP peerings (dual-homin...

Technical Note : FortiGate BGP configuration to announce only a default static route (prefix list an...

Contributors