Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
adimailig
Staff
Staff

Created on ‎05-21-2024 05:01 AM

Article Id 316268

Technical Tip: How to Block Advertising and Receiving of Specific Routes to and from BGP Peer using Route-Map and Prefix-List

Description This article describes how to block advertising and receiving of specific routes to/from BGP Peers using the Route-Map and Prefix-List.
Scope FortiGate, BGP.
Solution

Network diagram:

BGP_1.JPG
BGP is established between FGT_A and FGT_B.
All LAN routes/subnets are being advertised and received by FGT_B.

FortiGate B:

 

get route info bgp neighbors 192.168.254.81 routes
VRF 0 BGP table version is 4, local router ID is 192.168.254.82
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path
*> 10.10.0.0/24 192.168.254.81 0 0 0 100 i <-/1>
*> 10.10.1.0/24 192.168.254.81 0 0 0 100 i <-/1>
*> 10.10.2.0/24 192.168.254.81 0 0 0 100 i <-/1>
*> 10.10.3.0/24 192.168.254.81 0 0 0 100 i <-/1>

Total number of prefixes 4


get route info bgp neighbors 192.168.254.81 advertised-routes
VRF 0 BGP table version is 4, local router ID is 192.168.254.82
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path
*> 20.20.0.0/24 192.168.254.82 100 32768 0 i <-/->
*> 20.20.1.0/24 192.168.254.82 100 32768 0 i <-/->
*> 20.20.2.0/24 192.168.254.82 100 32768 0 i <-/->
*> 20.20.3.0/24 192.168.254.82 100 32768 0 i <-/->


1. Block/Deny Advertisement of 20.20.0.0/24 and 20.20.1.0/24 from FGT_B to FGT_A.

  1. Create Prefix-List for block routes. Go to Network -> Routing-Objects -> Create New -> Prefix List.
  2. Create a rule to permit 20.20.0.0/24 and 20.20.1.0/24. Optionally, set ge and le to make the configuration simpler. See Technical Tip: 'How to combine operators 'ge' and 'le' in prefix-list for route-map for filtering BG....


 

BGP_2.JPG

 

  1. Create a Prefix-List for Any routes.

 

BGP_3.JPG

  1. Create Route-Map to deny advertisement for routes 20.20.0.0/24 and 20.20.1.0/24 then Permit other prefixes. Go to Network -> Routing-Objects -> Create New -> Route Map.

 

 

BGP_4.JPG

  1. Use the route-map on BGP neighbor configuration in outgoing direction. Go to Network -> BGP -> Neighbor -> Edit Neighbor (IP). Do not forget to select Apply to commit the changes.

 

BGP_5.JPG

 

  1. Soft reset BGP peer (OUT) to refresh BGP routing table without tearing down existing peering sessions. See Technical Tip: BGP soft reset to refresh BGP routing table without tearing down existing peering ses....

Result:

Routes 20.20.0.0/24 and 20.20.1.0/24 are not advertised to FGT_A.

 

 

On FGT_B:

 

execute router clear bgp ip 192.168.254.81 soft out

get router info bgp neighbors 192.168.254.81 advertised-routes
VRF 0 BGP table version is 8, local router ID is 192.168.254.82
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path
*> 20.20.2.0/24 192.168.254.82 100 32768 0 i <-/->
*> 20.20.3.0/24 192.168.254.82 100 32768 0 i <-/->

Total number of prefixes 2


2. Deny/Block receiving of 10.10.0.0/24 and 10.10.1.0/24 routes from FGT_A.

 

  1. Create a Prefix-List for block routes. Go to Network -> Routing-Objects -> Create New -> Prefix List.
  2. Create a rule to permit 10.10.0.0/24 and 10.10.1.0/24. Optionally, set ge and le to make the configuration simpler. See Technical Tip: 'How to combine operators 'ge' and 'le' in prefix-list for route-map for filtering BG....

 

BGP_6.JPG

  1. Create a Route-Map to block/deny receiving of routes 10.10.0.0/24 and 10.10.1.0/24, then Permit other prefixes. Go to Network -> Routing-Objects -> Create New -> Route Map.
BGP_7.JPG

  1. Use the route-map on the BGP neighbor configuration in the incoming direction. Go to Network -> BGP -> Neighbor -> Edit Neighbor (IP).

    Remember to select Apply to commit the changes.
BGP_8.JPG

 

  1. Soft reset the BGP peer (IN) to refresh the BGP routing table without tearing down existing peering sessions.

 
Result:

Routes 10.10.0.0/24 and 10.10.1.0/24 are not accepted by FGT_B.

 

On FGT_B:

 

execute router clear bgp ip 192.168.254.81 soft in

get router info bgp neighbors 192.168.254.81 routes
VRF 0 BGP table version is 10, local router ID is 192.168.254.82
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path
*> 10.10.2.0/24 192.168.254.81 0 0 0 100 i <-/1>
*> 10.10.3.0/24 192.168.254.81 0 0 0 100 i <-/1>

Total number of prefixes 2
Labels:
1692
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.