Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
oguce
Staff
Staff

Created on ‎02-24-2022 09:39 AM Edited on ‎08-23-2024 08:53 AM By Moderator

Article Id 205500

Technical Tip: 'How to combine operators 'ge' and 'le' in prefix-list for route-map for filtering BGP routes'

Description

 

This article describes the combination of 'ge' (greater than or equal to) and 'le' (less than or equal to) in one prefix-list and route-map and an example of usage of it.

 

Scope

 

FortiGate prefix-list in 7.0.3.

 

Solution


In this example, two FortiGate firewalls are connected to each other via BGP.

FGT-2 is advertising to FGT-1 routes:

 

10.10.1.0/24

10.10.1.0/25

10.10.1.0/26

10.10.1.0/27

10.10.1.0/28

 

FGT-1 has no prefix-list now so it’s installing all those subnets in the routing table.

If one wants to install only some specific routes from a specific subnet range, for example in FGT-1 if a user wants to install only routes:

 

10.10.1.0/25

10.10.1.0/26

10.10.1.0/27

And deny 10.10.1.0/24, 10.10.1.0/28

 

Prefix-list / Route map comes into play.

 

Configuration of FGT-1 without filtering those routes:

=======================================================================

FGT-1 # show router bgp

config router bgp

    set as 6501

    set router-id 1.1.1.1

    config neighbor

        edit "172.18.18.3"             <----- FGT-2 peer ip address.

            set ebgp-enforce-multihop enable

            set soft-reconfiguration enable

            set remote-as 6500

        next

end

 

BGP route table looks like this:

 

==================================================================

FGT-1 # get router info bgp network

VRF 0 BGP table version is 3, local router ID is 1.1.1.1

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

              S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

 

   Network          Next Hop            Metric LocPrf Weight RouteTag Path

*> 10.10.1.0/24     172.18.18.3              0             0        0 6500 ? <-/1>

*> 10.10.1.0/25     172.18.18.3              0             0        0 6500 ? <-/1>

*> 10.10.1.0/26     172.18.18.3              0             0        0 6500 ? <-/1>

*> 10.10.1.0/27     172.18.18.3              0             0        0 6500 ? <-/1>

*> 10.10.1.0/28     172.18.18.3              0             0        0 6500 ? <-/1>

 

Now configure a prefix-list to filter inbound routes to FGT-1 as below:

 

================================================================

# config router prefix-list

    edit "route-in"

        config rule

            edit 1

                set prefix 10.10.1.0 255.255.255.0

                set ge 25   -- match all prefixes greater than or equal to 25 subnet mask, so 25,26,27,28

                set le 27    -- match all prefix less than or equal to 27 subnet mask, so 27,26,25,24

            next

        end

    next

end

 

A combination of both 'ge' and 'le' will allow only subnets 10.10.1.0/25, 10.10.1.0/26, 10.10.1.0/27 to install in route table because subnets /25, /26, 27 are greater than/24 and less than/28:

 

24   ≤  25,26,27  ≤28

 

Now add the prefix-list in neighbor configuration in FGT-1 to filter inbound routes from FGT-2 as below:

 

=======================================================================

FGT-1 # show router bgp

config router bgp

    set as 6501

    set router-id 1.1.1.1

    config neighbor

        edit "172.18.18.3"

            set ebgp-enforce-multihop enable

            set soft-reconfiguration enable

            set prefix-list-in "route-in"     --- adding prefix-list

            set remote-as 6500

        next

    end

=======================================================================

 

After adding the prefix-list as a filter the routing table looks like this:

 

FGT-1 # get router info bgp network

VRF 0 BGP table version is 2, local router ID is 1.1.1.1

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

              S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

 

   Network          Next Hop            Metric LocPrf Weight RouteTag Path

*> 10.10.1.0/25     172.18.18.3              0             0        0 6500 ? <-/1>

*> 10.10.1.0/26     172.18.18.3              0             0        0 6500 ? <-/1>

*> 10.10.1.0/27     172.18.18.3              0             0        0 6500 ? <-/1>

 

So subnets 10.10.1.0/24 and 10.10.1.0/28 are not accepted by FGT-1 and not installed in routing table.

 

The same outcome can be achieved by using the inverse logic, denying the prefix 10.10.1.0/24, 10.10.1.0/28 and allowing everything else:

 

config router prefix-list

edit "route-in"

config rule

edit 1

set action deny

set prefix 10.10.1.0 255.255.255.0

unset ge

unset le

next

edit 2

set action deny

set prefix 10.10.1.0 255.255.255.240

unset ge

unset le

next

edit 3

set prefix 0.0.0.0 0.0.0.0

unset ge

set le 32

next

end

next

end

 

The prefix 0.0.0.0/0 le 32 means all routes with all subnet masks less than or equal to 32, matching every possible prefix.

Labels:
20180
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.