Access-list is used to limit advertised routes and also to insert only specific routes of received routes in BGP using route-map.

To define the network, which needs to be matched, either wildcard or prefix options can be used in the access list rule.

Here is a scenario:

FortiGate is connected to Networks: n/w1,: 10.10.1.0/24, n/w2 :10.10.2.0/26, n/w3 :10.10.3.0/27, n/w4 :10.10.4.0/28, n/w5 :10.10.5.0/29 and n/w6 :10.10.6.0/30.

All these connected routes get redistributed when redistribute 'connected' is enabled in BGP

config redistribute "connected"
    set status enable
end

If there is a need to block specific connected networks from getting advertised to the BGP neighbor, an access list needs to be created with a specific network ID; call it in Route-map and configure route-map-out in the BGP neighbor.

Example:

Out of all connected networks, n/w4: 10.10.4.0/28 and n/w5: 10.10.5.0/29 are not supposed to be advertised.

So need to create a rule using the prifix or wildcard option to filter the network.

Access-list with prefix option: here network ID and its subnet mask have to be defined.

config router access-list
    edit "Block_n4_n5"
        config rule
            edit 1
                set prefix 10.10.4.0 255.255.255.240
            next
        edit 2
            set prefix 10.10.5.0 255.255.255.248
        next
    end
        next
            edit "Allow_rest"
                config rule
                    edit 1
                        set prefix any
                        set exact-match enable
                    next
                 end
             next
         end

Access-list with wildcard option: here network ID and wildcard subnet mask have to be defined similarly to the Cisco ACL rule.

config router access-list
    edit Block_n4_n5
        config rule
            edit 1
                set wildcard 10.10.4.0 0.0.0.16
            next
         edit 2
             set wildcard 10.10.5.0 0.0.0.8
         next
    end
        next
            edit Allow_rest
                config rule
                    edit 1
                        set prefix any
                        set exact-match enable
                    next
                 end
             next
          end

Both will serve the same purpose but defining the network, and its subnet is different. Either prefix or wildcard in the single rule ID can be set, not both. 

Fortinet # config router access-list

Fortinet (access-list) # edit Block_n4_n5

Fortinet (Block_n4_n5) # config rule

Fortinet (rule) # edit 1

Fortinet (1) #show full

config rule
edit 1
set action permit
set prefix 10.10.4.0 255.255.255.240
unset wildcard <<<<<< wildcard will get unset when prefix is used and viseversa.
set exact-match disable
next
end

==========================

• Call the access list in route map:

config router route-map
    edit "1"
        config rule
            edit 1
                set action deny
                set match-ip-address "Block_n4_n5" <----
            next
                edit 2
                    set match-ip-address "Allow_rest"
                next
             end
        next
    end

• Call the route map in the neighbor setting to block n/w4: 10.10.4.0/28 and n/w5: 10.10.5.0/29 getting advertised.

config router bgp
    set as 65412
        config neighbor
            edit "1.1.1.1"
            set remote-as 65412
         set route-map-out "1"
    next
end

config redistribute "connected"
    set status enable
end

• Result of the configuration:

Fortinet # get router info bgp network
VRF 0 BGP table version is 1, local router ID is 10.10.6.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path
*> 1.1.1.0/30 0.0.0.0 32768 0 ? <-/1>
*> 10.10.1.0/24 0.0.0.0 32768 0 ? <-/1>
*> 10.10.2.0/26 0.0.0.0 32768 0 ? <-/1>
*> 10.10.3.0/27 0.0.0.0 32768 0 ? <-/1>
*> 10.10.4.0/28 0.0.0.0 32768 0 ? <-/1>
*> 10.10.5.0/29 0.0.0.0 32768 0 ? <-/1>
*> 10.10.6.0/30 0.0.0.0 32768 0 ? <-/1>

Fortinet # get router info bgp neighbors 1.1.1.1 advertised-routes
VRF 0 BGP table version is 1, local router ID is 10.10.6.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path
*>i1.1.1.0/30 1.1.1.2 100 32768 0 ? <-/->
*>i10.10.1.0/24 1.1.1.2 100 32768 0 ? <-/->
*>i10.10.2.0/26 1.1.1.2 100 32768 0 ? <-/->
*>i10.10.3.0/27 1.1.1.2 100 32768 0 ? <-/->
*>i10.10.6.0/30 1.1.1.2 100 32768 0 ? <-/->

Router#show ip bgp summary
BGP router identifier 1.1.1.1, local AS number 65412
BGP table version is 88, main routing table version 88
5 network entries using 700 bytes of memory
5 path entries using 400 bytes of memory
1/1 BGP path/bestpath attribute entries using 144 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 1244 total bytes of memory
BGP activity 32/27 prefixes, 46/41 paths, scan interval 60 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
1.1.1.2 4 65412 11 11 88 0 0 00:07:06 5

Router#show ip bgp neighbors 1.1.1.2 received-routes
BGP table version is 98, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path
r>i 1.1.1.0/30 1.1.1.2 100 0 ?
*>i 10.10.1.0/24 1.1.1.2 100 0 ?
*>i 10.10.2.0/26 1.1.1.2 100 0 ?
*>i 10.10.3.0/27 1.1.1.2 100 0 ?
*>i 10.10.6.0/30 1.1.1.2 100 0 ?