Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Hsharma
Staff
Staff

Created on ‎08-19-2024 06:08 AM

Article Id 334368

Technical Tip: Checking AS path information in Wireshark

Description This article describes how to check AS path information sent by the firewall to the BGP neighbor in Wireshark.
Scope FortiGate.
Solution

FortiGate sends AS PATH to the BGP neighbor. Sometimes firewall does not represent the accurate AS PATH sent to its BGP neighbor in the advertised routes setting.

 

Router1 # get router info bgp nei x.x.x.x advertised-route
BGP table version is 13, local router ID is y.y.y.y.y
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

Network                       Next Hop      Metric             LocPrf         Weight        RouteTag Path
...
*> 10.22.22.0/24         10.90.1.2 0                                 100                 32768                     0 16899  <-/->

   

From the above output, it does look like it is sending the Public AS path 16899 to its neighbor. However, there is the possibility that the neighbor could receive the private AS PATH of the FortiGate which should not be sent over globally to BGP.

 

To check the exact AS PATH sent by FortiGate follow the below procedure.

 

  1. Run sniffer at port 179 for the neighbor's IP address.

 

di sniffer packet any “host x.x.x.x and port 179 “6 0 l

 

  1. Keep the sniffer running and clear the BGP for that neighbor to exchange the BGP information.

   

execute router clear bgp ip x.x.x.x soft (in/out)

 

  1. Stop the sniffer by CTRL+ C and download the sniffer output.

 

  1. Convert Sniffer output into PCAP file and analyze the PCAP through Wireshark. Refer to the following article to convert sniffer into PCAP:
    Technical Tip: How to import 'diagnose sniffer packet' data to WireShark - Ethereal application

 

  1. Here, AS PATH information can be seen in the UPDATE message.
 

image1.jpg

 

Here FortiGate is sending 16899, 65001, and 16899 as an AS PATH to its neighbor.

 

After confirming the AS-PATH desired action can be taken depending on the network requirements. If Private AS-PATH needs to be removed, then refer to the following article: 
Technical Tip: How to use 'remove-private-as' and 'set-aspath-action replace' to hide private AS in ...
192
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.