Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
subramanis
Staff
Staff

Created on ‎03-07-2022 01:59 PM

Article Id 206312

Technical Tip: BGP ORF (Outbound Route Filtering)

Description This article describes controlling the received routes from the local device.
Scope Fortigate
Solution

This feature is used to reduce the system resources on the firewall that is not accepting full routes from the neighbour.

orf.JPG

The FGT2 should receive only 1.1.1.1/32 from FGT1

 

FGT1 # show router bgp

# config router bgp

# set as 65000
# set router-id 10.0.0.1

# config neighbor

# edit "10.0.0.2"
# set capability-orf receive < ------------
# set soft-reconfiguration enable
# set remote-as 65001

# next

# end

# config network

# edit 1

# set prefix 1.1.1.1 255.255.255.255

# next
# edit 2

# set prefix 2.2.2.2 255.255.255.255

# next
# edit 3

# set prefix 3.3.3.3 255.255.255.255

# next

# end

 

FGT2 # show router bgp

# config router bgp

# set as 65001
# set router-id 10.0.0.2
# config neighbor

# edit "10.0.0.1"

# set capability-orf send < ------------
# set soft-reconfiguration enable
# set prefix-list-in "Net_1.1.1.1"
# set remote-as 65000

# next

# end

 

FGT2 # show router prefix-list
# config router prefix-list

# edit "Net_1.1.1.1"
# config rule

# edit 1

# set prefix 1.1.1.1 255.255.255.255
# unset ge
# unset le

# next

# end
# next

# end

 

FGT2 # get router info bgp summary
VRF 0 BGP router identifier 10.0.0.2, local AS number 65001
BGP table version is 1
1 BGP AS-PATH entries
0 BGP community entries

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.0.0.1 4 65000 88 94 0 0 0 00:53:41 1

Total number of neighbors 1

 

> All the networks are advertised on FGT1, but it's advertising only 1.1.1.1/32 network to FGT2 based on the ORF filter.

 

FGT1 # get router info bgp neighbors 10.0.0.2 advertised-routes
VRF 0 BGP table version is 3, local router ID is 10.0.0.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path
*> 1.1.1.1/32 10.0.0.1 100 32768 0 i <-/->

Total number of prefixes 1

 

FGT2 # get router info bgp neighbors 10.0.0.1 received-routes
VRF 0 BGP table version is 1, local router ID is 10.0.0.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path
*> 1.1.1.1/32 10.0.0.1 0 0 65000 i <-/->

Total number of prefixes 1

 

Note: The inbound filter can be applied on FGT2, but it will consume the local resource on the firewall to filter the networks.  This feature is used to reduce the amount of processing on the local devices.

 

Related Articles

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-control-BGP-route-advertisement-wit...

 

Labels:
2690
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.