Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: BGP not using public IP address on outgoing IF
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
BGP not using public IP address on outgoing IF
Hello. I'm migrating configuration from Juniper JSR4350 to FortiGate 140D unit with BGP, and almost everything is working. My domains are available online with public IP class C addresses like X.Y.Z.0/24, but when I surf the internet - my IP is seen as ISP interface on router like 2.0.0.162, not X.Y.Z.129. I was trying to add IP pool with overload one address X.Y.Z.129 but my BGP is connected to a normal router and the connection is beind disabled so this is not working for me, but it all about I need: http://www.mylesgray.com/...policy-on-a-fortigate/
I think this could be related to NEXT_HOP or ROUTE_MAP, or routing table?
The routing goes like this:
BGP device X.Y.Z.190 = route dst X.Y.Z.0/24 next-hop X.Y.Z.129 FW device 10.0.0.1 = route dst 0.0.0.0 next-hop X.Y.Z.190
It looks like a routing loop? But it worked on Juniper
Thanks in advance, regards!
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Qs:
[ul]
For the later, you might have to define a loopback address and static the ippool /24s behind that interface. BGP will need the route in the local route-table in order to advertise it.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emnoc wrote:Qs:
[ul]
You mention BGP but is this a SNAT related issue?[/ul][ul] Did you run diag debug flow[/ul][ul] Are the networks your advertising are they show up on a route-server/looking-glass[/ul][ul] The ippool that your SNAT is it being advertised?[/ul]
For the later, you might have to define a loopback address and static the ippool /24s behind that interface. BGP will need the route in the local route-table in order to advertise it.
Hello! Thanks for quick reply.
1. Basically it is probalby a SNAT issue, I've tried this: http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=11969&sliceId=1&d... but network goes down, probably by routing loop?
BGP device X.Y.Z.190 = route dest X.Y.Z.0/24 next-hop X.Y.Z.129 FW device 10.0.0.1 = route dest 0.0.0.0 next-hop X.Y.Z.190
2. I did not run the diag debug flow, I'm reading the manual for now, can you send me the whole command and what to search?
3. The routing on FortiGate looks like this:
FG # get router info routing-table all | grep X.Y.Z.
B X.Y.Z.0/24 [20/0] is a summary, Null, 19:48:39
S X.Y.Z.0/26 [10/0] via X.Y.Z.129, port3
C X.Y.Z.128/26 is directly connected, port3
S X.Y.Z.240/29 [10/0] via X.Y.Z.129, port3
FG #
And this is my FG BGP configuration...:
config router bgp
set as 00000
set router-id X.Y.Z.190
set keepalive-timer 45
set holdtime-timer 120
set bestpath-med-missing-as-worst enable
set log-neighbour-changes enable
set graceful-restart enable
config aggregate-address
edit 1
set prefix X.Y.Z.0 255.255.255.0
set as-set enable
next
end
config neighbor
edit "3.3.3.33"
set description "ISP3"
set remote-as 33333
set send-community6 disable
set keep-alive-timer 45
set holdtime-timer 120
set connect-timer 60
set weight 50
next
edit "2.2.2.157"
set description "ISP2"
set remote-as 222222
set send-community6 disable
set keep-alive-timer 45
set holdtime-timer 120
set connect-timer 60
set weight 100
next
edit "1.1.1.161"
set next-hop-self enable
set description "ISP1"
set remote-as 11111
set send-community6 disable
set keep-alive-timer 45
set holdtime-timer 120
set connect-timer 60
set weight 250
next
end
config network
edit 1
set prefix X.Y.Z.0 255.255.255.0
next
end
config redistribute "connected"
end
config redistribute "rip"
end
config redistribute "ospf"
end
config redistribute "static"
set status enable
end
config redistribute "isis"
end
config redistribute6 "connected"
end
config redistribute6 "rip"
end
config redistribute6 "ospf"
end
config redistribute6 "static"
end
config redistribute6 "isis"
end
set graceful-stalepath-time 180
set graceful-update-delay 180
end
I think I'm missing something, maybe this SNAT as you said, but how to implement this is the network goes down... Basically also maybe the route isn't advertised correctly? I can use X.Y.Z.0/24 on the Internet, but only outgoing interface is not working with this address (X.Y.Z.129) and the SMTP server also (X.Y.Z.189) - I land in a blacklist because of ISP interface being used.
This is my old configuration which is working correctly, but the device is too old :)
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 10.100.140.254/24;
}
}
}
ge-0/0/1 {
description INSITE;
unit 0 {
description INSITE_if;
family inet {
address X.Y.Z.190/26;
}
}
}
ge-0/0/2 {
description ISP2;
unit 0 {
description ISP2;
family inet {
address 2.2.2.158/30;
}
}
}
ge-0/0/3 {
description ISP1;
unit 0 {
description ISP1;
family inet {
address 1.1.1.162/30;
}
}
}
lo0 {
unit 0 {
family inet {
address 127.0.0.1/32;
}
}
}
}
routing-options {
static {
route X.Y.Z.0/26 next-hop X.Y.Z.129;
route 10.0.0.0/8 next-hop 10.100.140.1;
route X.Y.Z.240/29 next-hop X.Y.Z.129;
}
aggregate {
route X.Y.Z.0/24;
}
router-id X.Y.Z.190;
autonomous-system XXXXX loops 1;
}
protocols {
bgp {
accept-remote-nexthop;
group NETIA {
type external;
export [ R_PUB_POLICY REJECT_ALL ];
neighbor 1.1.1.161 {
peer-as 11111;
}
}
group MULTIPLAY {
type external;
export [ R_PUB_POLICY REJECT_ALL ];
neighbor 2.2.2.157 {
peer-as 222222;
}
}
}
}
policy-options {
prefix-list R_PUB {
X.Y.Z.0/24;
}
policy-statement R_PUB_POLICY {
from {
protocol aggregate;
prefix-list R_PUB;
}
then accept;
}
policy-statement REJECT_ALL {
then reject;
}
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
queue-size 2000;
timeout 20;
}
land;
}
}
}
zones {
security-zone trust {
tcp-rst;
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
http;
https;
ssh;
telnet;
dhcp;
}
}
}
ge-0/0/1.0;
ge-0/0/2.0 {
host-inbound-traffic {
system-services {
ping;
}
protocols {
bgp;
}
}
}
ge-0/0/3.0 {
host-inbound-traffic {
system-services {
ping;
}
protocols {
bgp;
}
}
}
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
policies {
from-zone trust to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy ban-ntp {
match {
source-address any;
destination-address any;
application [ junos-nntp junos-ntp junos-ms-sql ];
}
then {
deny;
}
}
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy ban-ntp {
match {
source-address any;
destination-address any;
application [ junos-ntp junos-nntp junos-ms-sql ];
}
then {
deny;
}
}
policy default-deny {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
default-policy {
deny-all;
}
}
}
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1st let's start by seeing what your sending via BGP. The distribution of BGP is one thing, the SNAT is another ( ip pools ).
So are you sending the prefix that contains the nat-pool ?
get router info bgp neighbors
get router info bgp network
diagnostic reset
diagnose ip router bgp events < insert ipv4 address/prefix>
diagnostic enable
If that looks good, run the diagnostic flow command against one host that sending traffic that should be SNAT
diag debug dis
diag debug reset
diag debug flow filter addr <x.y.x.x>
diag debug flow show console enabl
diag debug enable
diag debug flow trace start 100
Now start some traffic and review and capture the output.
When done reset diagnostics
diag debug disable
diag debug reset
Start withe the above, I'm assuming the summary route in your route-table is the prefixes your sending and covers the ip-pool range?
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emnoc wrote:1st let's start by seeing what your sending via BGP. The distribution of BGP is one thing, the SNAT is another ( ip pools ).
So are you sending the prefix that contains the nat-pool ?
get router info bgp neighbors
get router info bgp network
diagnostic reset
diagnose ip router bgp events < insert ipv4 address/prefix>
diagnostic enable
If that looks good, run the diagnostic flow command against one host that sending traffic that should be SNAT
diag debug dis
diag debug reset
diag debug flow filter addr <x.y.x.x>
diag debug flow show console enabl
diag debug enable
diag debug flow trace start 100
Now start some traffic and review and capture the output.
When done reset diagnostics
diag debug disable
diag debug reset
Start withe the above, I'm assuming the summary route in your route-table is the prefixes your sending and covers the ip-pool range?
Thank you for a quick learning guide, I will do this, but basically I disabled the NAT on the policy LAN->WAN and it started to work! This post: https://forum.fortinet.co...p;m=128453&mpage=1
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,717 -
FortiClient
1,766 -
5.2
801 -
FortiManager
730 -
5.4
639 -
FortiAnalyzer
559 -
FortiSwitch
475 -
FortiAP
473 -
FortiClient EMS
435 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
246 -
FortiAuthenticator v5.5
234 -
IPsec
210 -
FortiWeb
205 -
5.0
196 -
FortiNAC
190 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
104 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
97 -
FortiToken
92 -
Firewall policy
83 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
51 -
ZTNA
49 -
Routing
47 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
Virtual IP
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiGate-VM
16 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1714 | |
| 1093 | |
| 752 | |
| 447 | |
| 232 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.