Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
akileshc
Staff
Staff

Created on ‎05-28-2025 02:19 AM Edited on ‎05-28-2025 04:29 AM By Community Manager

Article Id 393232

Technical Tip: FortiGate OSPF – Effect of 'database-filter-out' Command

Description This article describes the behavior when the database-filter-out option is enabled on a FortiGate OSPF interface. 
Scope FortiGate (All supported models/firmware).
Solution

The database-filter-outOption option suppresses the transmission of LSAs (Link State Advertisements) to the neighbor on that interface. This prevents the neighbor from learning routes—such as external routes or redistributed routes—originating from the advertising router. OSPF adjacency remains fully established, and DBD (Database Description) packets are exchanged, but they do not contain any LSA headers.

 

Network Setup:

 

Network-Diagram.png

 

Step 1: Review OSPF Interface Configuration on FGTA.

 

config router ospf
    set router-id 1.1.1.1
        config ospf-interface
            edit "vd1-ospf"
                set interface "vlan10"
                set database-filter-out enable
                set mtu-ignore enable
            next
        end
end

 

Step 2: Check OSPF Database on Neighbor (FGTB).

 

Before enabling 'database-filter-out':

 

get router info ospf database brief

OSPF Router with ID (2.2.2.2) (Process ID 0, VRF 0)

 

Router Link States (Area 0.0.0.0)

Link ID ADV Router Age Seq# CkSum Flag Link count
1.1.1.1 1.1.1.1 665 80000007 8f8b 0012 2
2.2.2.2 2.2.2.2 780 8000001b 8b5d 0031 1

 

Net Link States (Area 0.0.0.0)

Link ID ADV Router Age Seq# CkSum Flag
10.10.10.2 2.2.2.2 370 80000004 38ea 0031

 

AS External Link States

Link ID ADV Router Age Seq# CkSum Flag Route Tag
172.16.10.0 1.1.1.1 515 80000004 2fcb 0012 E2 172.16.10.0/24 0


After enabling 'database-filter-out':

 

get router info ospf database brief

OSPF Router with ID (2.2.2.2) (Process ID 0, VRF 0)

Router Link States (Area 0.0.0.0)

Link ID ADV Router Age Seq# CkSum Flag Link count
2.2.2.2 2.2.2.2 4 80000003 b150 0021 1


Step 3: Check Routing Table on Neighbor.

 

get router info routing-table ospf
Before: O E2 172.16.10.0/24 via 10.10.10.1
After: <No route available>

Packet Capture Analysis on FortiGate A:

 

Before Enabling 'database-filter-out':

LSA Headers Present:

  • Type 1 (Router-LSA), ID: 1.1.1.1.
  • Type 5 (AS-External-LSA), ID: 172.16.10.0.

 

DD-Filter-DISABLE.png

 

After Enabling 'database-filter-out':

  • No LSA Headers Present.
  • Flags: Init, More, Master.

 

DD-Filter-Enable.png

 

Expected Behavior: 

Feature Behavior with `database-filter-out` enabled
OSPF Adjacency Maintained
LSAs Sent (Types 1/3/5/etc.) Suppressed
Routes Seen on Peer Not Available
DBD Packets Exchanged without LSA headers

 

Use Cases:

  • Suppress outbound LSA propagation toward specific peers.
  • Prevent routing loops during redistribution.
  • Isolate devices during controlled migrations or testing.

 

Additional Notes:

  • 'database-filter-out' is interface-specific.
  • Does not impact inbound LSA learning.
320
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.