Technical Tip: Configuring Firewall Address Objects and Groups as BGP Prefixes in FortiOS 7.6+

Manually defining BGP prefixes can lead to configuration errors and inconsistencies, especially in dynamic environments like SD-WAN or multi-tenant setups. By linking firewall address objects and groups to BGP, administrators can:

• Reuse firewall objects for routing, reducing configuration redundancy.
  
• Automatically propagate address object changes to BGP prefixes.
  
• Streamline management in large-scale or dynamic networks.

Prerequisites:

• FortiGate running FortiOS 7.6 or later.
  
• BGP configured with basic neighbor settings.

Configuration steps:

1. Create a Firewall Address Object:
   

Define an address object and enable routing support.

config firewall address    edit "BGP-Net1"        set allow-routing enable        set subnet 192.168.10.0 255.255.255.0    next end

Note: The allow-routing option must be enabled (disabled by default).

2. (Optional) Create an Address Group:

Combine multiple address objects for scalable prefix advertisement.

config firewall addrgrp    edit "BGP-Group"        set allow-routing enable        set member "BGP-Net1" "BGP-Net2"    next end

Ensure all member addresses have allow-routing enabled.

3. Configure BGP to Use Address Objects/Groups.

Reference the address object or group in the BGP network configuration.

config router bgp    set as 65001    config network        edit 1            set prefix-name "BGP-Net1"        next        edit 2            set prefix-name "BGP-Group"        next    end end

From GUI:

Network > BGP > Networks

Use prefix-name to link to the address object or group.

Notes:

• Only ipmask and interface-subnet address types are supported.
  
• Address object changes propagate to BGP dynamically, but a BGP soft reset may be required for immediate effect.