Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
boneyard
Valued Contributor

routing prefix-list to deny all

to perform some tests safely on a FortiGate (FortiOS 6.4) doing BGP i was trying to setup a prefix-list that denies all prefixes and apply that the BGP neighbour section via set prefix-list-in / set prefix-list-out.

 

as a prefix-list contains a implicit deny at the end i was expecting an "empty" one would be enough.

 

config router prefix-list
  edit "deny-all"

    set comments "deny all prefixes"
  next
end

 

but this doesn't deny anything until i add a rule for dummy prefix with the deny action. then it behaves like i wanted to.

 

anyone that knows / can confirm a rule for a dummy prefix with deny action is required here?

1 Solution
Toshi_Esumi
Esteemed Contributor II

I don't think "implicit deny" is a correct term to describe prefix-list's default behavior. It implicitly doesn't match anything unless you explicitly specify. Implicit deny is regularly used to describe the behavior of route-maps. Was there in any documentation you've read?

 

You just need to test it to verify the default behavior, which you already found out a half of it yourself.

 

<edit>

The test result you've got is because if you create a prefix-list it's "permit" by default as in my example. That's why the specific prefix was allowed but anything else was denied.

</edit>

 

Toshi

View solution in original post

4 REPLIES 4
Toshi_Esumi
Esteemed Contributor II

You have to match all fixes by "set prefix any" otherwise it does capture anything to "deny".

Below is ours matching everything but "permit" them. This one is used for our case to deny everything with a route-map referring this prefix-list. In your case you need "set action deny" instead.

 

config router prefix-list

  edit "ALL-Routes"
    config rule
      edit 1
        set prefix any
        unset ge
        unset le
      next
    end
  next
end

 

Toshi

boneyard
Valued Contributor

thanks Toshi, but isn't there a implicit deny for prefix any at the end of the prefix-list?

 

when i add some entry (say for 1.2.3.4 255.255.255.255) it will deny everything else, so then the implicit deny acts right? but without any rules it doesn't filter, although the implicit deny should be there then right?

Toshi_Esumi
Esteemed Contributor II

I don't think "implicit deny" is a correct term to describe prefix-list's default behavior. It implicitly doesn't match anything unless you explicitly specify. Implicit deny is regularly used to describe the behavior of route-maps. Was there in any documentation you've read?

 

You just need to test it to verify the default behavior, which you already found out a half of it yourself.

 

<edit>

The test result you've got is because if you create a prefix-list it's "permit" by default as in my example. That's why the specific prefix was allowed but anything else was denied.

</edit>

 

Toshi

boneyard

>> I don't think "implicit deny" is a correct term to describe prefix-list's default behavior.

 

yeah, that seems to be the case. i think i read this somewhere but dont have a source currently, perhaps it is the mix up with route map.

 

i was looking for some confirmation and got that now, thank you.