This article demonstrates how to redistribute static routes into BGP selectively, with the FortiGate router ACL.

FortiGate v6.4, v7.0, and v7.2.

Access lists are filters used by the FortiGate routing process (these are not the same as a firewall access list).

ACL matches use a combination of 'IP & Mask' for granularity, as 10.0.0.0/8 is not the same as 10.0.0.0/16, etc.

It also has a feature called 'exact-match'. This tells FortiGate whether to match the Mask portion exactly (set exact-match enable) or to allow other masks. It may also specify whether FortiGate can match the exact Mask stated in the ACL configuration or any more specific Mask(s) when the exact-match disable is used.

For example, 10.0.0.0/8 with exact-match disable will match 10.0.0.0/8 to 10.0.0.0/32.

Exact-match enable is the default configuration. To match more specific subnet masks with the ACL, disable exact-match.

This article will use a demonstration setup with two FortiGates:

FortiGate-500D has 5 static routes that the admin wants to access through FortiGate-300E. The two FortiGates are BGP peers on AS65555.

To accomplish this, the following steps are taken:

Configure ACL.

Feed the ACL into the te-map, since the route-map is the only tool that can be called under a BGP 'redistribute static' configuration.

Configure 'redistribute static' under BGP.

The result: