FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
syordanov
Staff
Staff
Article Id 349113
Description This article describes how to filter in a BGP neighbor-group based on remote-AS.
Scope Starting from 7.4.4 GA  and 7.6.0 GA
Solution

In FortiOS 7.4.4 and 7.6.0 is introduced a new feature which allows assignment of multiple remote Autonomous Systems (AS) to a signle BGP neighbor group. This can be done with using the AS path lists. This feature offers increased flexibility in managing BGP configurations.

 

Fortigate_AS-path-diagram.PNG

BGP configuration of FortiGate-1:

 

  config router bgp
        set as 65513
        set router-id 1.1.1.1
          config neighbor-group
             edit "1"
                set remote-as-filter "allow_AS_list"
             next
        end
        config neighbor-range
            edit 1
                set prefix 192.168.1.0 255.255.255.0
                set neighbor-group "1"
            next
         end
 end

 

config router aspath-list
       edit "allow_AS_list"
            config rule
                edit 1
                    set action permit
                    set regexp "^6551[2-3]$" 
                next
            end
      next
end

 

FortiGate-2 BGP configuration:

 

config router bgp
    set as 65512
    set router-id 3.3.3.3
    config neighbor
        edit "192.168.1.99"
           set remote-as 65513
        next
    end
    config network
        edit 1
              set prefix 192.168.200.0 255.255.255.0
        next
   end
end

 

FortiGate-3 BGP configuration:

 

config router bgp
    set as 65513
    set router-id 2.2.2.2
    config neighbor
        edit "192.168.1.99"
             set remote-as 65513
        next
    end
    config network
    edit 1
         set prefix 192.168.201.0 255.255.255.0
    next
   end
end

 

For simplicity, FortiGate-2 will advertise network 192.168.200.0/24, and FortiGate-3 will advertise network 192.168.201.0/24. FortiGate-1 will filter based on the AS-filter using the new introduced commands below. In the provided example, the regular expression '^6551[2-3]$' is used, which allows only AS 6551* , where * varies between 2 and 3. This range can be extended or modified based on the needs.

 

config router aspath-list
    edit "as123_only"
        config rule
<- Add multiple rules.
             edit 1
                  set action permit
<- Can modify to permit/deny.
                  set regexp "[123]"
            next
       end
  next

end

 

 

Output from FortiGate-1:

 

get router info bgp summary

VRF 0 BGP router identifier 1.1.1.1, local AS number 65513
BGP table version is 6
2 BGP AS-PATH entries
0 BGP community entries
Next peer check timer due in 15 seconds

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
192.168.1.113 4 65512 10 10 5 0 0 00:00:33 1
192.168.1.117 4 65513 16 23 5 0 0 00:01:10 1

Total number of neighbors 2


get router info routing-table bgp
Routing table for VRF=0
B 192.168.200.0/24 [20/0] via 192.168.1.113 (recursive is directly connected, lan), 00:00:08, [1/0]
B 192.168.201.0/24 [200/0] via 192.168.1.117 (recursive is directly connected, lan), 00:00:49, [1/0]

 

If the AS of FortiGate-2 is changed to 65514, for example, then FortiGate-1 will have only one BGP session, because AS 65514 does not match the configured regex for aspath-list.