Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
aishaqui
New Contributor III

Created on ‎01-22-2024 10:53 PM Edited on ‎01-22-2024 10:53 PM By Community Manager

Article Id 295458

Technical Tip: 'get router info bgp network x.x.x.x' shows the output for a prefix even if it does not match the route map

 

Description

This article describes that 'get router info bgp network x.x.x.x' shows the output for a prefix even if it does not match the route map.

 

For example, consider a static route configured in FortiGate with a tag (in this case 1122), and based on tag matching, it is necessary to filter static route redistribution into BGP.


config router static
    edit 2
        set dst 1.2.3.0 255.255.255.0
        set gateway 10.9.15.254
        set distance 254
        set device "port17"
    next
    edit 3
        set dst 4.5.6.0 255.255.255.0
        set gateway 10.9.15.254
        set distance 254
        set device "port17"
        set tag 1122
    next
end

  • Create a route map as below:


FGT # config router route-map
    edit "match-tag"
        config rule
            edit 1
                set match-tag 1122
            next
            edit 2
                set action deny
            next
        end
    next
end


  • Use route-map 'match-tag' in BGP configuration

 

FGT # config router-bgp
    config redistribute "static"
        set status enable
        set route-map "match-tag"
    end
end


The output of 'get router info bgp network' shows a prefix (in this case 4.5.6.0) in the output since the static route for this prefix has tag 1122. It is also possible to confirm this but checking the learned routes on the remote BGP peer by using the command 'get router info bgp neighbor x.x.x.x received-routes'.

 

FGT # get router info bgp network
VRF 0 BGP table version is 1, local router ID is 10.9.0.187
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network Next Hop Metric LocPrf Weight RouteTag Path
*> 4.5.6.0/24 10.9.15.254 32768 0 ? <-/1>

Total number of prefixes 1


But if the output of 'get router info bgp network x.x.x.x' is checked, the output for all prefixes which are matching tags and which are not will be visible.


FG1K5D-1 # get router info bgp network 1.2.3.0
VRF 0 BGP routing table entry for 1.2.3.0/24
Paths: (1 available, no best path)
  Not advertised to any peer
  Original VRF 0
  Local
    10.9.15.254 (inaccessible) from 0.0.0.0 (10.9.0.187)
      Origin incomplete, localpref 100, weight 32768, valid, sourced
      Last update: Wed Dec 31 19:00:00 1969

FG1K5D-1 # get router info bgp network 4.5.6.7
VRF 0 BGP routing table entry for 4.5.6.0/24
Paths: (1 available, best 1, table Default-IP-Routing-Table)
  Advertised to non peer-group peers:
   10.9.0.210
  Original VRF 0
  Local
    10.9.15.254 from 0.0.0.0 (10.9.0.187)
      Origin incomplete, tag 1122, localpref 100, weight 32768, valid, sourced, best
      Last update: Thu Jan 11 09:29:14 2024
Solution

This is expected behavior, even though the FortiGate will display the output of 'get router info bgp network x.x.x.x' for the prefix, even if it does not match the route map but it mentions that this is inaccessible and 'Not advertised to any peer' while the prefix which matches the route map clearly shows 'Advertised to non-peer-group peers'.

 

566
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.