Skip to main content
fortinetuser2020
fortinetuser2020
New Member
July 10, 2020
Solved

bgp and policies

  • July 10, 2020
  • 1 reply
  • 15488 views

hi. i've read this article

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/964247/dual-homed-bgp-example

 

and at some point, there is an instruction to do an inbound policy from the isp back to the company lan. isn't that dangerous?

 

why is it needed? isn't the only important port from the isp back to the internal network is the bgp port?

    Best answer by Toshi_Esumi

    Just tell we have our own ASN and subnets to advertise and want to get just a default route from them.

    1 reply

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    July 10, 2020

    I don't think this network example is realistic. It seems to be assuming the "internal" network is reachable/routable from the internet, but since NAT is configure on both directions it's not really routing through the FGT. If the internal network is a public subnet, you of course need policies for both-ways but without NAT.

    I would blame the tech writer at FTNT.

    fortinetuser2020
    fortinetuser2020Author
    New Member
    July 11, 2020

    thank you. so 2 questions about that :

     

    1. do i even need incoming policies for bgp? isn't that a core service not requiring any specific policies?

    2. the article also states to setup default static routes. am i not supposed to get those routes via bgp? or the static route is needed to let the fortigate know "where to start from" to get other routes?

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    July 11, 2020

    If it's the FGT terminating BGP, not passing it to internal routers, and if it's a single VDOM environment, no needs for a policy. But if it's passing BGP through like root vdom to another internal vdom handling BGP or other devices a set of policies need to allow it from ingress interface to egress interface.

     

    If you get full internet routes or partial routes from your neighboring ISP, there is no default route in the routes you receive. The ISP might advertise only default route without other routers. That's depending on the BGP service you get from the ISPs. If you don't get default routes, you might need it internally like static default routes.

    Terms & ConditionsAccessibility statement