Created on
12-01-2009
01:50 AM
Edited on
09-23-2025
10:20 PM
By
Anthony_E
Description
This article provides a BGP configuration example to force/prevent a FortiGate from advertising some BGP routes to specific BGP peers.
Diagram:
The following diagram illustrates this example:
Expectations and requirements:
FGT2 must advertise specific BGP routes learned from FGT1, to FGT3 and FGT4:
FGT3 must learn only route 10.10.10.0/24.
FGT4 must learn only route 10.160.0.0/23
FGT1 is announcing in BGP the following routes:
10.10.10.0/24
10.160.0.0/23
172.31.224.0/23
FGT3 is announcing in BGP the following routes:
10.158.0.0/23
192.168.182.0/23
FGT4 is announcing in BGP the following routes:
10.161.0.0/23
10.162.0.0/23
Scope
Solution
Configuring access-list and a route-map-out on FortiGate 2 (FGT2) will filter and force the routes advertisements.
Only the relevant parts of FortiGate 2 (FGT2) are provided in CLI format:
config router access-list
edit "match_fgt4"
config rule
edit 1
set prefix 10.160.0.0 255.255.254.0
set exact-match enable
next
end
next
edit "match_fgt3"
config rule
edit 1
set prefix 10.10.10.0 255.255.255.0
set exact-match enable
next
end
next
end
config router route-map
edit "route_map_out_fgt3"
config rule
edit 1
set match-ip-address "match_fgt3"
next
end
next
edit "route_map_out_fgt4"
config rule
edit 1
set match-ip-address "match_fgt4"
next
end
next
end
config router bgp
set as 65110
config neighbor
edit "172.31.224.136"
set remote-as 65136
next
edit "192.168.182.78"
set remote-as 65078
set route-map-out "route_map_out_fgt3"
next
edit "192.168.182.66"
set remote-as 65066
set route-map-out "route_map_out_fgt4"
next
end
set router-id 172.31.224.110
end
Verifications before configuring FGT2:
FGT2 # get router info routing-table all
S* 0.0.0.0/0 [10/0] via 172.31.225.254, port1
B 10.10.10.0/24 [20/0] via 172.31.224.136, port1, 00:00:06
B 10.158.0.0/23 [20/0] via 192.168.182.78, port2, 00:00:06
B 10.160.0.0/23 [20/0] via 172.31.224.136, port1, 00:00:06
B 10.161.0.0/23 [20/0] via 192.168.182.66, port2, 00:00:01
B 10.162.0.0/23 [20/0] via 192.168.182.66, port2, 00:00:01
C 172.31.224.0/23 is directly connected, port1
C 192.168.182.0/23 is directly connected, port2
FGT3 # get router info routing-table all
S* 0.0.0.0/0 [10/0] via 192.168.183.254, wan1
B 10.10.10.0/24 [20/0] via 192.168.182.110, wan1, 00:06:04
C 10.158.0.0/23 is directly connected, internal
B 10.160.0.0/23 [20/0] via 192.168.182.110, wan1, 00:06:04
B 10.161.0.0/23 [20/0] via 192.168.182.66, wan1, 00:05:35
B 10.162.0.0/23 [20/0] via 192.168.182.66, wan1, 00:05:35
B 172.31.224.0/23 [20/0] via 192.168.182.110, wan1, 00:06:04
C 192.168.182.0/23 is directly connected, wan1
FGT4 # get router info routing-table all
S* 0.0.0.0/0 [10/0] via 192.168.183.254, wan1
B 10.10.10.0/24 [20/0] via 192.168.182.110, wan1, 00:06:51
B 10.158.0.0/23 [20/0] via 192.168.182.78, wan1, 00:06:51
B 10.160.0.0/23 [20/0] via 192.168.182.110, wan1, 00:06:51
C 10.161.0.0/23 is directly connected, wan1
C 10.162.0.0/23 is directly connected, wan1
B 172.31.224.0/23 [20/0] via 192.168.182.110, wan1, 00:06:51
C 192.168.182.0/23 is directly connected, wan1
FGT2 # get router info routing-table all
S* 0.0.0.0/0 [10/0] via 172.31.225.254, port1
B 10.10.10.0/24 [20/0] via 172.31.224.136, port1, 00:00:31
B 10.158.0.0/23 [20/0] via 192.168.182.78, port2, 00:00:31
B 10.160.0.0/23 [20/0] via 172.31.224.136, port1, 00:00:31
B 10.161.0.0/23 [20/0] via 192.168.182.66, port2, 00:00:26
B 10.162.0.0/23 [20/0] via 192.168.182.66, port2, 00:00:26
C 172.31.224.0/23 is directly connected, port1
C 192.168.182.0/23 is directly connected, port2
FGT3 # get router info routing-table all
S* 0.0.0.0/0 [10/0] via 192.168.183.254, wan1
B 10.10.10.0/24 [20/0] via 192.168.182.110, wan1, 00:00:48
C 10.158.0.0/23 is directly connected, internal
C 192.168.182.0/23 is directly connected, wan1
FGT4 # get router info routing-table all
S* 0.0.0.0/0 [10/0] via 192.168.183.254, wan1
B 10.160.0.0/23 [20/0] via 192.168.182.110, wan1, 00:00:36
C 10.161.0.0/23 is directly connected, wan1
C 10.162.0.0/23 is directly connected, wan1
C 192.168.182.0/23 is directly connected, wan1
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.