Skip to main content
mudasirmalik
mudasirmalik
Visitor III
January 18, 2022
Question

Local in policy for BGP in regards to AWS

  • January 18, 2022
  • 5 replies
  • 4592 views

Hi all,
We have local-in policy to allow all for bgp. I know we can set local-in policy to disable port 179 as follows:

config firewall local-in-policy

    edit 1

       set intf wan1

       set scraddr all

       set dstaddr all

       set action deny

       set service BGP

       set schedule always

    end

I have a couple of questions. I am coming from PA deployed in a very small office, so sorry if sound bit silly.

1. How to know if I change config in 'edit 1', I am not changing any other policy already there.
2. We have VPN with AWS going from WAN1. The inside tunnel address configured in VPN is used for BGP. AWS config here uses BGP(inside tunnel IP) for VPN to work. If I apply above local-in policy will it not affect VPN tunnel between fortigate and AWS.

We are using Fortigate version 6.4.0

Thanks.

5 replies

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
January 19, 2022

I'm not sure what you mean with No.1 "How to know...". You just need to change in "edit 1" then hit "next" (not "end"), and then "show" to check the result of your change. Or even before hitting "next", you can do "show".

 

BGP over the tunnel goes through the tunnel interface, which is automatically created when you configured the phase1-interface. Not over wan1 interface. So your deny statement in the local-in-policy wouldn't apply to the BGP with AWS. By default, BGP is allowed all interfaces including those tunnel/logical interfaces.

 

Toshi

    mudasirmalik
    mudasirmalikAuthor
    Visitor III
    January 19, 2022

    Thanks a lot Toshi.
    I was wondering to check if something is already configured at 'edit 1'. Although, I ran through running-config and don't see any local-in policy at all but in GUI, I can see we have many local-in policies. 

    i was just curious as I know when I was working with ASA, you have specific command that will not apply any firewall policy on tunnel interface. looks like there is none in fortigate and tunnel inside IP is not considered on WAN interface. I will try to disable all bgp traffic for WAN port next week and see how it goes.

    I guess to revert back I donot delete edit 1 instead change it to 

    config firewall local-in-policy

        edit 1

           set intf wan1

           set scraddr all

           set dstaddr all

           set action allow

           set service BGP

           set schedule always

        end

    or do you think deleting edit 1 is the best way.

    Thanks a lot

     

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    January 19, 2022

    As I said by default BGP is allowed on any interfaces. An "allow" local-in-policy is only meaningful when it's placed before a "larger" deny policy, so that it's allowed only with the condition while most of, if not all, others are denied. 

    Your case, nothing would be different for the behavior of the FGT. I would simply remove it and start from scratch to avoid future confusion or cluttering.

    mudasirmalik
    mudasirmalikAuthor
    Visitor III
    January 24, 2022

    In case someone is looking for an answer. Applied local-in-policy and it did not impact the tunnel. The only issue was that we never had BGP, so we had to create a new Service for BGP by going into Policy&Objects -> Services as without doing this you will not be able to run 'set service BGP' command.

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    January 24, 2022

    BGP should be in pre-configured services like DNS, OSPF, RIP, SNMP, etc. by default. Also you don't need any policy to terminate BGP at the IPsec interface. Only if you terminate it at a loopback interface or other internal interfaces, you need to have a set of policies for BGP to come/go out of the inside interface.

    mudasirmalik
    mudasirmalikAuthor
    Visitor III
    January 24, 2022

    I was on support with fortinet guys and the fortinet tech, who was really good at his work and he created BGP service. This also confused him a bit in start that we had BGP configured for local-in-policy(GUI).  I had to call support as 'set service BGP' did not work due to BGP not available. So, the tech guy created a new BGP service. Then, I was able to enter command 'set service BGP'
    As stated earlier, BGP is used in conjuction with AWS and I was just worried if BGP running inside tunnel will not be impacted. Anyways, my main question got answered this morning when applying above config did not cause any issue to tunnel.

    Sorry, I am not sure what do you mean by terminate(I have never seen this term, may be my knowledge is limited:)), I never know that BGP has an end point. Yes there are two things in Fortigate. One is security policy and other is local-in policy. Both will perform different functions. One will allow to pass traffic through interface and reject later by policy while the later will reject any inbound traffic(local-in).

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    January 24, 2022

    I already forgot about what you were specifically working on and thought you added a policy with BGP in FW policy. Sorry about my confusion.

    Terms & ConditionsAccessibility statement