As suggested by my contacts within Fortinet, I'm posting this on the community page as well.
In a network that is fully leveraging BGP for any routing decisions by matching (extended) community strings, it would be nice if the community string was able to control which firewall rule gets applied to traffic as well.
Since Customer traffic is already tagged using extended communities, it would be trivial to add an additional community string in the provisioning template on the PE routers. This community string is then propagated using BGP across the backbone towards a FortiGate cluster. FortiGate reads the community string and adds the received prefix to an object (e.g.: Address objects) and traffic will be handled as determined by rules/policies setup for said object. To illustrate:
FortiOS can already assign users/addresses dynamically using the Radius SSO feature, but it cannot do this based on BGP (extended) communities at this time.
The current suggestion from Fortinet is to use an "external connector", which can analyze BGP community strings and create address lists. The connector then provides the list of addresses to the FortiGate (API/CLI).
Has anyone tried using BGP attributes to selectively assign firewall rules/policies? If yes, how did you achieve this?
Edit: If you also want this as a feature in FortiOS, give this post a thumbs-ups.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Would that work? Using a seperate prefix list for local subnets and then the WAN_IN to deny the default route from other DCs into the other DCs. We are running BGP on some links between DC so I was wary about accepting all routes from each DC as the P2P should be better performing.
I see no reason why you wouldn't be able to use the same method to control traffic from WAN as well, either using the same community string or using an additional one. It might need a bit more thought if you are employing NAT with Virtual IP objects to provide Outside-to-Inside rules.
Rejecting, accepting or modifying routes (either the default or specific prefixes) from various locations is already possible in FortiGates - the route-map feature already allows matching on BGP attributes, such as community strings.
The benefit of being able to use community strings to dynamically create an object for use in firewall policies would be that it improves scalability of the network and make it much more dynamic, as you no longer need to define or update prefix-lists with new IP ranges (either manual or through automation). This is especially practical in global networks where the user/customer may be mobile and move from location to location.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1640 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.