Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
adimailig
Staff & Editor
Staff & Editor

Created on ‎05-21-2024 03:40 AM Edited on ‎05-21-2024 11:21 PM By Moderator

Article Id 316238

Technical Tip: How FortiGate Match Routes on the Prefix List

Description This article describes the behavior of Prefix-List during route filtering/matching.
Scope FortiGate.
Solution

A prefix list is a collection of routes that can be used to filter or match an IP subnet or routes.
More details on the Prefix lists can be found in the documentation Prefix lists.

Different from other configurations like Firewall Policy, SD-WAN Rule, etc, the prefix matching is performed based on Sequence ID. Matching will start from the lowest sequence ID to the highest sequence ID until there is a match.
This is regardless of their placement on the configuration.
This behavior is also stated on RFC5292 - Address-Prefix-Based Outbound Route Filter for BGP-4.

Let's consider the example Prefix list and the result below:

image.png

 

image.png

 

Based on the prefix list above, routes 10.10.0.0/24 (ID #1) and 10.10.1.0/24 (ID #2) are DENIED.
But routes 10.10.2.0/24 (ID 4) are PERMITTED even though there is a DENY statement for it on the prefix list.
This is because there is a Permit statement allowing ANY prefixes under sequence ID #3.
The prefix matching follows the 1 - 2 - 3 - 4 sequence in this example.
2264
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.