Description
This article describes how to block BGP port 179 on the wan interface to help prevent scans from external networks.
This also applies in situations where port 179 is 'open' for IPs defined in an IP pool (even if not used).
Scope
FortiGate.
Solution
In some scenarios, blocking all BGP services within the network may be necessary. In such cases, a local-in-policy can be used to block the unwanted BGP traffic on WAN interfaces.
The following example demonstrates how to block traffic for port 179 on wan1 interface.
config firewall service custom
edit "BGP"
set tcp-portrange 179
next
end
config firewall local-in-policy
edit 1
set intf wan1
set srcaddr all
set dstaddr all
set action deny
set service BGP
set schedule always
end
To allow BGP traffic only from a specific source while blocking it for all other networks, source address negation must be enabled. The allowed IP address should be specified in the srcaddr field instead of using all. With source address negation enabled, the firewall will deny traffic from all sources except the one explicitly defined in the policy.
config firewall local-in-policy
edit 1
set intf wan1
set srcaddr Allowed-BGP-source
set srcaddr-negate enable
set dstaddr all
set action deny
set service BGP
set schedule always
end
Note: If multiple WAN interfaces are present in the network, configure a Local-In Policy on each additional WAN interface as well. Local in policy configured only to block port 179 on the WAN interface will not block BGP communication on the Internal/Local LAN Interface. Only BGP communication using the WAN interface will be blocked.
Troubleshoot:
To verify if the local in policy is working or not, run the below commands:
diagnose debug reset
diagnose debug flow show function-name enable
diagnose debug flow filter addr <src ip>
diagnose debug enable
diagnose debug flow trace start 100
Starting from v7.6.0 and above, the Local-in Policy can also be configured via the GUI, see: Local-in policy.
