- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- BGP on Fortigate
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
BGP on Fortigate
We have a cluster of two 110C running Virtual Clustering A-P.
We run BGP protocol on one VDOM called BGP. We use this VDOM only for routing while the other VDOM root is used for firewall and content inspection.
We run eBGP with two ISP:
1.
name: DialTelecom mode: static ip: 188.209.a.b 255.255.255.252 status: up netbios-forward: disable type: vlan mtu-override: disable wccp: disable sflow-sampler: disable explicit-web-proxy: disable
2.
name: Euroweb mode: static ip: 89.238.m.n 255.255.255.252 status: up netbios-forward: disable type: vlan mtu-override: disable wccp: disable sflow-sampler: disable explicit-web-proxy: disable
As we speak the default route is originated from DialTelecom:
get router info routing-table bgp
B* 0.0.0.0/0 [20/0] via 188.209.a.c, DialTelecom, 2d14h24m
The issue I have is that I cannot ping the public IP address of the Euroweb interface from sources that (return) leave Fortigate using the DialTelecom interface.
Here is a packet capture for 5 echo-requests:
41.882077 Euroweb in 85.204.227.242 -> 89.238.a.b: icmp: echo request
43.881365 Euroweb in 85.204.227.242 -> 89.238.a.b: icmp: echo request
45.886258 Euroweb in 85.204.227.242 -> 89.238.a.b: icmp: echo request
47.891378 Euroweb in 85.204.227.242 -> 89.238.a.b: icmp: echo request
49.896304 Euroweb in 85.204.227.242 -> 89.238.a.b: icmp: echo request
Packets arrive on Euroweb interface, and according to the routing table (0.0.0.0/0) should leave on DialTelecom interface, but it doesn' t work!
I mention that I enabled the asymetric routing:
ClassIT-EW (BGP) # get sys set
comments : Routing only
opmode : nat
bfd : disable
utf8-spam-tagging : enable
wccp-cache-engine : disable
vpn-stats-log :
vpn-stats-period : 0
v4-ecmp-mode : source-ip-based
asymroute : enable
strict-src-check : disable
asymroute6 : disable
per-ip-bandwidth : enable
sip-helper : enable
sip-nat-trace : enable
status : enable
sip-tcp-port : 5060
sip-udp-port : 5060
sccp-port : 2000
multicast-forward : disable
multicast-ttl-notchange: disable
allow-subnet-overlap: disable
ecmp-max-paths : 10
I run MR 2 patch 8, version 4.0
The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
The most expensive and scarce resource for man is time, paradoxically,
it' s infinite.
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you specifying the WAN interface connected to or is that ip_address 85.204.227.242? I think you kinda answer your own question with the following;
As we speak the default route is originated from DialTelecom: get router info routing-table bgp B* 0.0.0.0/0 [20/0] via 188.209.a.c, DialTelecom, 2d14h24mIn your setup how are you receiving routes from both upstreams ( partial, full, single default route???????????????) ? Have you validate that the network your sourcing is being sent to Euroweb? Have you queried any ripe route-servers/looking-glas for routing information? or validate that Euroweb has your 85.204.224.0/20 prefix in the route table or whatever prefix your sending? I would start at minimum with RIPE Ris http://www.ripe.net/data-tools/stats/ris/routing-information-service And validate routing information is present within the euroweb router-database.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I receive about 15k prefixes from both ISP and I advertise ONLY my /24 prefix to both ISPs with no extra configuration (BGP free decision).
85.204.227.242 is one IP address located somewhere in Internet and from where I ran tests. I pinged Euroweb interface and packets arrived on Fortigate on Euroweb interface.
Now on their way back they have to use the default route originated by Dial. As I disabled asymetric routing I believe it should return, but it doesn' t happen this way.
Many thanks,
laf.
The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
The most expensive and scarce resource for man is time, paradoxically,
it' s infinite.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you say ping euroweb interface, isn' t this a directly connected ip_address ? if yes, than the default route out thru Dialtelecom would not be a factor?
also you mention earlier and I quote
I mention that I enabled the asymetric routing:and now you disabled this, Asymetrical routing is going to be required due to the nature of your traffic and the 2 upstream uplinks, where any one of these could be the path for the returned traffic
Now on their way back they have to use the default route originated by Dial. As I disabled asymetric routing I believe it should return, but it doesn' t happen this way.Not correct, you can' t control how the internet returns traffic to YOU. Your default-route is just a catch-all for traffic leaving your network. Bottom line, does the problem going away when you have asymetrical routing enabled?
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Asymetric routing is enabled. For the last two months and I won' t disable IT.
I ping from whatever source to the IP_address of one interface.
If the source I ping FROM is PREFERRED on the return to go out through the other interface it doesn' t work.
Didn' t you meet with the same behavior? (do you have any working BGP scenario on Fortigate?)
The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
The most expensive and scarce resource for man is time, paradoxically,
it' s infinite.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, plenty of BGP experince with firewalls & routes. You still haven' t ask the question, what are you trying to ping? is it part of the directly connected network ? is the remote eBGp peers ?
draw a map of what your doing or trying to accomplish.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to ping the public IP assigned to one of my interface. This IP also is one of the two eBGP peer; BGP is running between Fortigate and ISP.
ISP A --> Euroweb_interface(Fortigate)
ISP B --> DialTelecom_interface(Fortigate).
Routing table is using right now the DialTelecom interface:
B* 0.0.0.0/0 [20/0] via 188.209.a.c, DialTelecom, 4d4h24m
Packets arrive from 5 hops away on Euroweb interface with source 85..... and according to the routing table on the appliance they should leave on the other interface (DialTelecom); but they get stuck.
Both Euroweb and DialTelecom interfaces are binded into a zone, called Internet. For this zone, there is no check to block inter-zone traffic:
config system zone
edit " Internet"
set interface " DialTelecom" " Euroweb"
set intrazone allow
next
end
So packets should move from Euroweb interface to DialTelecom interface with no problems. But according to the sniffer nothing more happens.
The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
The most expensive and scarce resource for man is time, paradoxically,
it' s infinite.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Packets arrive from 5 hops away on Euroweb interface with source 85..... and according to the routing table on the appliance they should leave on the other interface (DialTelecom); but they get stuck.Okay clearier ( i think ), so you have a FGT with 2 wan interfaces doing eBGP to 2 different ISP, but only receiving one default route. for all purpose since your cryptic in your ip_address information here' s my scenario; eBgp peer 188.209.1.1 -.2 ( dial telcom ) eBgp peer 77.77.1.1 -.2 ( euroweb ) note: In both cases .2 is your side or the fortigate device ip_address for wan interface 1 & 2 for the respective interfaces. So you trying to ping 77.77.1.2 and hope that the response goes back thru diatelecom? Are these assumptions correct up to this point ? Q1: Does telecom allow for distribution of provider #2 network space? Can you check a looking glass to see how the destination network looks with in that looking-glass and the as_path hops for that network? Q2:Also what happen if you ping the network ( prefix ) that your advertising to the ISP #1 & #2? ( assumption are your sending your 24 to both providers) Does that work? This could be something as simple as provider #1 & #2 don' t know about each others ( your wan interfaces addresses ) and I don' t think zone pairs are going to magically migrate packets in that shape or fashion., nor should be used in that fashion. Also intra-zone-allow doesn' t work in that fashion either, it would be for any traffic from within the zonepair e.g DialTelcom to Euroweb , or Euroweb to DialTelcom, In this case that your describing, you want to use the other wan interface ( dialteleco ) as a transient to the internet. And for the obvious make sure icmp is allow for both wan1 & 2 allowaccess. Outside of that, you have a very strange setup and scenario. if euroweb has a looking glass, i would like to see what your pings and traceroutes looking to each public address http://lg.euroweb.ro/
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Your 3 assumptions are right.
Q1: why would it matter if the 1st ISP advertise or not the 2nd ISP prefix? Most probably they would do it, but in my case I have the prefix directly connected.
Q2: MY /24 prefix I advertise through both ISPs is advertised using both ISPs and can be accessed via both, ONLY if I ENABLE asymmetric routing.
Finally the setup isn' t unusual at all, it is just a classic two ISP scenario. If Fortigate would behave LIKE a router there would not be any issues.
I started a ticket and hope by Easter it will be solved!
The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
The most expensive and scarce resource for man is time, paradoxically,
it' s infinite.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On q1, with out seeing their bgp policy, they might not accept that prefix, you can query any looking-glass or route-server to verifed.
{eg}
If you don' t see isp#2 network -prefix in the path of ips#1, then it safe to assume it' s being dropped.
On the unusual, I disagree and you last statement is the reason why. Let routers do BGP routing and let firewalls do just that; firewalling/inspection/security.
As you can see, issues are more unusual in their function and operation when using BGP on firewalls.
fwiw
I always try to terminate my internet uplinks to a router-device and then inject a default route into the boundary firewall thru ospf and the local lan into ospf so that the BGP speakers receives whatever networks that your distributing to the internet. Simpler and less frustration. Most other organizations that I consult does exactly the same also.
Another advantage with this approach, if you later decided to add physical redundancy, it' s way much easier.
(i.e active-passive firewall, dual internet uplink routers ,etc...)
Let us know what fortinet support say about the issue at head. And I would like to see what they say about intrazone and the use of zonepairs with packet sources from one wan and going out the other.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Related Posts
- TrendMicro Integration with Fortigate Firewall 41 Views
- Upgrade FG from FortiManager - problems... 41 Views
- FortiGate 100f 138 Views
- Need Help with Configuring SNMP for... 56 Views
- CVE-2018-13379 79 Views
Labels
-
FortiGate
6,960 -
FortiClient
1,369 -
5.2
801 -
5.4
639 -
FortiManager
603 -
FortiAnalyzer
440 -
6.0
416 -
FortiAP
363 -
5.6
362 -
FortiSwitch
361 -
FortiClient EMS
282 -
FortiMail
269 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
168 -
6.4
128 -
FortiNAC
123 -
FortiGuard
111 -
IPsec
101 -
FortiGateCloud
92 -
FortiSIEM
91 -
SSL-VPN
88 -
FortiCloud Products
85 -
FortiToken
76 -
Customer Service
70 -
4.0MR3
64 -
Wireless Controller
63 -
FortiProxy
48 -
FortiADC
45 -
SD-WAN
43 -
FortiEDR
42 -
Fortivoice
41 -
FortiDNS
37 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiSandbox
33 -
FortiSwitch v6.4
32 -
Firewall policy
31 -
FortiAuthenticator
28 -
High Availability
28 -
VLAN
27 -
FortiConnect
24 -
FortiWAN
23 -
ZTNA
21 -
FortiConverter
21 -
DNS
20 -
FortiGate v5.2
19 -
FortiPortal
18 -
Certificate
18 -
FortiSwitch v6.2
17 -
SAML
17 -
LDAP
17 -
BGP
16 -
VDOM
16 -
FortiMonitor
14 -
FortiLink
14 -
Interface
14 -
Logging
14 -
Authentication
13 -
FortiGate v5.0
13 -
Routing
13 -
FortiDDoS
13 -
FortiCASB
12 -
NAT
11 -
RADIUS
10 -
SSL SSH inspection
10 -
Traffic shaping
10 -
Fortigate Cloud
10 -
Virtual IP
10 -
SSO
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Web profile
9 -
Application control
9 -
4.0MR2
9 -
SSID
8 -
FortiBridge
8 -
WAN optimization
8 -
FortiGate v4.0 MR3
8 -
IP address management - IPAM
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SNMP
7 -
Web application firewall profile
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Traffic shaping policy
6 -
IPS signature
5 -
Proxy policy
5 -
Packet capture
5 -
FortiAP profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Antivirus profile
4 -
Automation
4 -
DNS Filter
4 -
FortiTester
4 -
Web rating
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
trunk
4 -
Port policy
4 -
FortiDeceptor
3 -
Fortinet Engage Partner Program
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
FortiPAM
3 -
DoS policy
3 -
Email filter profile
3 -
Intrusion prevention
3 -
FortiDB
3 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Users
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Fabric connector
2 -
Netflow
2 -
Multicast routing
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Explicit proxy
1 -
Zone
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1006 | |
| 837 | |
| 478 | |
| 440 | |
| 136 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.