Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
acvaldez
Staff
Staff

Created on ‎09-04-2019 12:05 AM Edited on ‎09-18-2024 07:32 AM By Moderator

Article Id 191035

Technical Tip: Create an Access-list on a Route-Map that would deny specific network on a BGP peering

Description


This article describes how to configure an access-list on a route-map that would deny specific routes on BGP.


Scope

 


Solution

 

This example will show how to create a route-map-in on FortiGate2 that has an access-list rule that would deny 10.10.30.0/24 from FortiGate1.

Configuration.

FortiGate1 BGP GUI configuration:
 
 
FortiGate2 BGP GUI configuration:
 

 
FortiGate2 CLI configuration to deny 10.10.30.0/24 network and allow any other network.
 
Access-list:
 
show

config router access-list
    edit "BLOCK_10.10.30.0/24"
        config rule
            edit 1
                set prefix 10.10.30.0 255.255.255.0
                set exact-match enable
            next
        end
    next
    edit "ALLOW_OTHER"
        config rule
            edit 1
                set prefix any
                set exact-match enable
            next
        end
    next
end
 
Route-map:

config router router-map
    show
 
    config route route-map
        edit "BLOCK_10.10.30.0/24"
            config rule
                edit 1
                    set action deny
                    set match-ip-address "BLOCK_10.10.30.0/24"
                next
                edit 2
                    set match-ip-address "ALLOW_OTHER"
                next
            end
 
Note that if the second access-list named 'ALLOW_OTHER' with the prefix set to 'any' is not added in route-map config, none of the subnets will be allowed even though they are not explicitly mentioned with the action set to 'deny'. There should be an entry with the action set to 'permit' to be able to receive/advertise the desired subnet(s). In the above configuration, 'set action permit' is not visible, because it is the default configuration of route-map entry.
 
Assign that route-map to the route-map-in of the FortiGate2 neighbor configuration:
 
config router bgp
        config neighbor
            edit 192.168.175.230
    end
show
 
    config router bgp
        set as 20
        set router-id 192.168.175.231
            config neighbor
                edit "192.168.175.230"
                    set remote-as 10
                    set route-map-in "BLOCK_10.10.30.0/24"
                next
            end
            config redistribute "connected"
            end
            config redistribute "rip"
            end
            config redistribute "ospf"
            end
            config redistribute "static"
            end
            config redistribute "isis"
            end
            config redistribute "connected"
            end
            config redistribute "rip"
            end
            config redistribute "ospf"
            end
            config redistribute "static"
            end
            config redistribute "isis"
            end
end
 
Clear the BGP peering using this command for the route-map access-list to take effect:
 
exec router clear bgp as 10        <------------ because the AS on FortiGate1 is set to 10.
 
Or:
 
exec router clear bgp all


Troubleshooting.
To confirm that it is already being blocked, run these commands:

 

diag ip router bgp all en
diag ip router bgp level info
diag debug en

 

Note: to stop the debugging of the BGP, run these commands:

 

diag debug disable
diag ip router bgp all disable
diag ip router bgp level none

 

Here is the sample result:

 

BGP: [NETWORK] Accept Thread: Incoming conn from host 192.168.175.230 (FD=24)
BGP: 192.168.175.230-Outgoing [FSM] State: Idle Event: 14
BGP: 192.168.175.230-Outgoing [FSM] State: Idle Event: 3
BGP: 192.168.175.230-Outgoing [NETWORK] FD=24, Sock Status: 0-Success
BGP: 192.168.175.230-Outgoing [FSM] State: Connect Event: 17
BGP: 192.168.175.230-Outgoing [ENCODE] Msg-Hdr: Type 1
BGP: 192.168.175.230-Outgoing [ENCODE] Open: Ver 4 MyAS 20 Holdtime 180
BGP: 192.168.175.230-Outgoing [ENCODE] Open: Msg-Size 61
BGP: 192.168.175.230-Outgoing [DECODE] Msg-Hdr: type 1, length 61
BGP: 192.168.175.230-Outgoing [DECODE] Open: Optional param len 32
BGP: 192.168.175.230-Outgoing [DECODE] Open Opt: Option Type 2, Option Len 6
BGP: 192.168.175.230-Outgoing [DECODE] Open Cap: Cap Code 1, Cap Len 4
BGP: 192.168.175.230-Outgoing [DECODE] Open Opt: Option Type 2, Option Len 6
BGP: 192.168.175.230-Outgoing [DECODE] Open Cap: Cap Code 1, Cap Len 4
BGP: 192.168.175.230-Outgoing [DECODE] Open Opt: Option Type 2, Option Len 2
BGP: 192.168.175.230-Outgoing [DECODE] Open Cap: Cap Code 128, Cap Len 0
BGP: 192.168.175.230-Outgoing [DECODE] Open Cap: RR Cap(old) for all address-families
BGP: 192.168.175.230-Outgoing [DECODE] Open Opt: Option Type 2, Option Len 2
BGP: 192.168.175.230-Outgoing [DECODE] Open Cap: Cap Code 2, Cap Len 0
BGP: 192.168.175.230-Outgoing [DECODE] Open Cap: RR Cap(new) for all address-families
BGP: 192.168.175.230-Outgoing [DECODE] Open Opt: Option Type 2, Option Len 6
BGP: 192.168.175.230-Outgoing [DECODE] Open Cap: Cap Code 65, Cap Len 4
BGP: 192.168.175.230-Outgoing [FSM] State: OpenSent Event: 19
BGP: 192.168.175.230-Outgoing [ENCODE] Msg-Hdr: Type 4
BGP: 192.168.175.230-Outgoing [ENCODE] Keepalive: 28 KAlive msg(s) sent
BGP: bgp_keepalive_proc: notif_rcv 4-4
BGP: 192.168.175.230-Outgoing [DECODE] Msg-Hdr: type 4, length 19
BGP: 192.168.175.230-Outgoing [DECODE] KAlive: Received!
BGP: 192.168.175.230-Outgoing [FSM] State: OpenConfirm Event: 26
id=20300 logdesc="BGP neighbor status changed" msg="BGP: %BGP-5-ADJCHANGE: neighbor 192.168.175.230 Up "
BGP: 192.168.175.230-Outgoing [DECODE] Msg-Hdr: type 2, length 55
BGP: 192.168.175.230-Outgoing [DECODE] Update: Starting UPDATE decoding... Bytes To Read (36), msg_size (36)
BGP: 192.168.175.230-Outgoing [DECODE] Update: NLRI Len(12)
BGP: 192.168.175.230-Outgoing [FSM] State: Established Event: 27
BGP: 192.168.175.230-Outgoing [RIB] Update: Received Prefix 10.10.10.0/24
BGP: 192.168.175.230-Outgoing [RIB] Update: Prefix 10.10.30.0/24 denied due to route-map
BGP: 192.168.175.230-Outgoing [RIB] Update: Received Prefix 10.10.20.0/24
BGP: 192.168.175.230-Outgoing [FSM] State: Established Event: 34
BGP: [RIB] Scanning BGP Network Routes...

 

To make sure that the route 10.10.30.0/24 is not installed on the routing table of FortiGate2, run this command:

 

get router info routing-table all

 

Here is the result of this lab:

 

get router info routing-table all

Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

B       10.10.10.0/24 [20/0] via 192.168.175.230, port1, 00:01:19
B       10.10.20.0/24 [20/0] via 192.168.175.230, port1, 00:01:19
C       192.168.175.0/24 is directly connected, port1

Labels:
18382
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.