Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
syao
Staff & Editor
Staff & Editor

Created on ‎07-24-2023 02:11 AM

Article Id 265347

Technical Tip: How to use a BGP AS-PATH list in Route-maps

Description This article describes how to filter BGP AS-PATH list with route-maps.
Scope FortiGate v6.4, v7.0, v7.2, or v7.4.
Solution

Consider the following network diagram:

BGP AS PATH.jpg

 

  • The FortiGate device is located in AS400 and has a peering connection with AS300.
  • AS300 is receiving the route 100.100.100.0/24 from AS100 and the route 200.200.200.0/24 from AS200.
  • The network administrator aims to apply a filter to block the routes advertised by AS100 while permitting all other routes using AS-PATH with route-maps.

Before applying the route-map:

 

get router info bgp neighbors 169.254.1.2 routes
VRF 0 BGP table version is 1, local router ID is 4.4.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path
*> 100.100.100.0/24 169.254.1.2 0 0 300 100 i <-/-> <-- Needs to be filtered
*> 200.200.200.0/24 169.254.1.2 0 0 300 200 i <-/->


To filter routes using AS-PATH with route maps on a FortiGate device, follow the steps below:

 

Step 1: Create an AS-PATH list to match routes originating from AS100.

 

config router aspath-list

edit "AS100"

config rule

edit 1

set action permit

set regexp "_100$"

next

end

next

end

 

Note: This step creates an AS-PATH list named 'AS100' and defines a rule that permits routes with AS-PATH ending in '_100'. This will match all the routes originated from AS100.

 

Step 2: Create a route map and reference the created AS-PATH list from Step 1.

 

config router route-ma

edit "RM_INBOUND"

config rule

edit 1

set action deny

set match-as-path "AS100"

next

edit 2

set action permit

next

end

next

end

 

Note: Rule id #1 is configured to deny routes that match the AS-PATH list 'AS100'. Rule id #2 is set to permit all other routes that do not match rule id #1.
 

Step 3: Apply the route map as an inbound filter for the BGP neighbor.

 

config router bgp

config neighbor

edit "169.254.1.2"

set route-map-in "RM_INBOUND"

next

end

end

 

Note: After applying the route-map, it may be necessary to perform an inbound refresh to update the BGP routing table.

 

After applying the route-map:

 

get router info bgp neighbors 169.254.1.2 routes
VRF 0 BGP table version is 1, local router ID is 4.4.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path
*> 200.200.200.0/24 169.254.1.2 0 0 0 300 200 i <-/1>

Total number of prefixes 1
6975
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.