Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
akileshc
Staff
Staff

Created on ‎12-13-2024 12:54 AM

Article Id 364460

Technical Tip: Configuring FortiGate to Use Its Interface IP Address as the Forwarder Address in OSPF Type 5 LSA

Description

This article describes that in OSPF, Type 5 LSAs (AS-external-LSA) are used to advertise external routes into the OSPF domain. When a route is redistributed into OSPF from BGP, the default behavior is to set the next-hop IP address of the route learned via BGP as the forwarder address in the Type 5 LSA.

In some scenarios, it might be preferable to configure FortiGate to advertise its own interface IP address as the forwarder address. This article provides details and configuration steps to achieve this.
Scope FortiGate.
Solution

Configuration Steps:

 

  1. Create a Prefix List to Match Specific Routes:

Define a prefix list to identify the specific routes for which the forwarder address will be modified:


config router prefix-list
    edit "FWD_ADDR_LIST"
        config rule
            edit 1
                set prefix 172.26.1.0 255.255.255.192
                unset ge
                unset le
            next
        end
    next
end

  1. Configure a Route Map to Set the Forwarder Address:

Create a route map to modify the next-hop IP address for the matched prefixes:


config router route-map
    edit "FWD_ADDR_CHANGE"
        config rule
            edit 1
                set match-ip-address "FWD_ADDR_LIST"
                set set-ip-nexthop 172.16.30.1
            next
            edit 2
            next
        end
    next
end

  1. Enable Redistribution of BGP into OSPF.

First, configure the FortiGate to redistribute BGP routes into OSPF:

 

config router ospf
    config redistribute "bgp"
        set status enable
        set routemap "FWD_ADDR_CHANGE"
    end
end

 

Verification:
After applying the changes, verify the Type 5 LSA database on a receiving router or FortiGate to confirm the forwarder address has been updated.

 

Before Applying the Configuration.
Run the following command on the receiving router:

 

get router info ospf database external lsa | grep 172.26.1.0 -A 10 -B 5


Example output:

AS External Link States

LS age: 39
Options: 0x2 (*|-|-|-|-|-|E|-)
LS Type: AS-external-LSA
Link State ID: 172.26.1.0 (External Network Number)
Advertising Router: 172.16.30.1
LS Seq Number: 8000002d
Checksum: 0x0f12
Length: 36
Network Mask: /26
Metric Type: 2 (Larger than any link state path)
TOS: 0
Metric: 10
Forward Address: 10.10.1.2
External Route Tag: 0

After Applying the Configuration:
Run the same command again to observe the updated forwarder address:

 

get router info ospf database external lsa | grep 172.26.1.0 -A 10 -B 5

Example output:

 

AS External Link States

LS age: 23
Options: 0x2 (*|-|-|-|-|-|E|-)
LS Type: AS-external-LSA
Link State ID: 172.26.1.0 (External Network Number)
Advertising Router: 172.16.30.1
LS Seq Number: 8000002e
Checksum: 0xbe9c
Length: 36
Network Mask: /26
Metric Type: 2 (Larger than any link state path)
TOS: 0
Metric: 10
Forward Address: 172.16.30.1
External Route Tag: 0

 

Explanation of Changes:

  1. Before Configuration: The forwarder address in the Type 5 LSA is the next-hop IP address of the route learned via BGP (10.10.1.2).
  2. After Configuration: The forwarder address is updated to the advertising FortiGate's interface IP address (172.16.30.1).
610
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.