In certain network requirements, connections between FortiGates are controlled by OSPF redistribution. The following network topology interlinks FortiGate communication via OSPF routes with a redistributed default route and a static route enabled:

• External FortiGate port2 forms OSPF with port3 of FortiGate Edge.
• Internal FortiGate Port3 forms OSPF with FortiGate port5.

The following routing table is observed in all the FortiGates:

FortiGate External.

Routing table for VRF=0
O*E2 0.0.0.0/0 [110/10] via 10.11.102.1, port2, 02:09:20, [1/0]
C 10.11.102.0/24 is directly connected, port2
C 10.254.1.0/24 is directly connected, port1
O 192.168.0.0/24 [110/2] via 10.11.102.1, port2, 02:09:21, [1/0]
O 192.168.3.0/24 [110/3] via 10.11.102.1, port2, 00:07:46, [1/0]

FortiGate Edge.

Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 203.0.113.254, port2, [1/0]
C 10.11.102.0/24 is directly connected, port3
C 10.254.1.0/24 is directly connected, port1
C 192.168.0.0/24 is directly connected, port4
C 192.168.3.0/24 is directly connected, port5
C 203.0.113.0/24 is directly connected, port2

FortiGate Internal.

Routing table for VRF=0
O*E2 0.0.0.0/0 [110/10] via 192.168.0.1, port2, 02:10:18, [1/0]
O 10.11.102.0/24 [110/2] via 192.168.0.1, port2, 02:10:19, [1/0]
C 10.254.1.0/24 is directly connected, port1
C 192.168.0.0/24 is directly connected, port2
C 192.168.3.0/24 is directly connected, port3

Under this configuration, if the network administrator wants to segregate management traffic (192.168.101.0/24) through port 3 on the FortiGate Internal interface, the subnet on the Internal FortiGate will not be able to communicate with the loopback IP (LO-EX) configured on the FortiGate External Interface. A static route will need to be configured on FortiGate Internal to route the traffic through port3 (192.168.3.2):

Configure route-map and access-list in FortiGate Internal to avoid the advertisement of 192.168.101.0/24 subnet:

• Access-list.

config router access-list

    edit "DoNotSend"

        config rule

            edit 1

                set prefix 192.168.101.0 255.255.255.0

                set exact-match enable

            next

        end

    next

end

• Route-map.

config router route-map

    edit "Exclude-NET"

        config rule 

            edit 1

                set action deny

                set match-ip-address "DoNotSend"

                unset set-ip-prefsrc

            next

            exit 2

                unset set-ip-prefsrc

            next

        end

    next

end

• Apply the route-map in OSPF configuration:

config router ospf

    config redistribute "static"

        set status enable

        set routemap "Exclude-NET"

    end

end

With this configuration, FortiGate Edge will see a single route to route 192.168.101.0/24 to FortiGate External:

Accessing FortiGate External Loopback IP is now possible from 192.168.3.2 configured on FortiGate Internal: