Firewall Policy not honoring BGP learned routes

EM_Fortiuser · ‎05-22-2025

I have two sites broadcasting there available newtorks via bgp over a site to site connection. When I do a firewall policy test the remote system, it gives my default outbound policy vs the Firewall rules I have already established.

BGP Neighbors

BGP Paths

So none of my site to site policies match when I do the test policy function.

I am sure I am missing something but dont know what.

Thanks in advance

Anthony_E · ‎05-25-2025

Hello,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Anthony-Fortinet Community Team.

Yurisk · ‎05-25-2025

Sorry, but I haven't understood a thing from your post - what are you trying to achieve, what have you configured, and how you see something is not working?

BGP does not advertise routes ? Routes advertised but not being installed in FIB? There is no such thing "default outbound policy" in Fortigate. Fortigate will not create security rules based on BGP routes or BGP-anything.

It would be best to start by sharing sanitized configuration of what you are trying to do.

Cheers

https://yurisk.info

EM_Fortiuser · ‎05-27-2025

Basically I have a site to site connection and I am trying to leverage BGP instead of static routing between the sites. I have BGP working and each side can see the advertised routes but when I do a route lookup or policy check the route isnt going to the site to site vpn connection. It goes to the default outbound policy I have setup.

funkylicious · ‎05-27-2025

can you share the routing table on the device in question?

a bgp advertised route doesnt necessarily mean a preferred/installed route on the other end.

get router info routing-table all

get router info routing-table database

"jack of all trades, master of none"

EM_Fortiuser · ‎05-27-2025

fgt # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default

Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 172, port1, [1/0]
S 172 [10/0] via 172, port2, [1/0]
C 172 is directly connected, port1
C 172 is directly connected, port2
B 192 [200/0] via 192 (recursive via 172, port1), 3d08h26m, [1/0]
B 192 [200/0] via 192 (recursive via 172, port1), 3d08h26m, [1/0]
B 192 [200/0] via 66 (recursive via 172, port1), 3d08h26m, [1/0]
B 192 [200/0] via 66 (recursive via 172, port1), 3d08h26m, [1/0]

fgt # get router info routing-table database
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
> - selected route, * - FIB route, p - stale info

Routing table for VRF=0
S *> 0.0.0.0/0 [10/0] via 172, port1, [1/0]
S *> 172 [10/0] via 172, port2, [1/0]
C *> 172 is directly connected, port1
C *> 172 is directly connected, port2
B *> 192 [200/0] via 192 (recursive via 172, port1), 3d08h26m, [1/0]
B *> 192 [200/0] via 192 (recursive via 172, port1), 3d08h26m, [1/0]
B *> 192 via 66 (recursive via 172, port1), 3d08h26m, [1/0]
B *> 192 [200/0] via 66 (recursive via 172, port1), 3d08h26m, [1/0]

EM_Fortiuser · ‎05-27-2025

fgt # get router info routing-table all
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 172, port1, [1/0]
S 172 [10/0] via 172, port2, [1/0]
C 172 is directly connected, port1
C 172 is directly connected, port2
B 192 [200/0] via 192 (recursive via 172, port1), 3d08h26m, [1/0]
B 192 [200/0] via 192 (recursive via 172, port1), 3d08h26m, [1/0]
B 192 [200/0] via 66 (recursive via 172, port1), 3d08h26m, [1/0]
B 192 [200/0] via 66 (recursive via 172, port1), 3d08h26m, [1/0]

fgt # get router info routing-table database
S *> 0.0.0.0/0 [10/0] via 172, port1, [1/0]
S *> 172 [10/0] via 172, port2, [1/0]
C *> 172 is directly connected, port1
C *> 172 is directly connected, port2
B *> 192 [200/0] via 192 (recursive via 172, port1), 3d08h26m, [1/0]
B *> 192 [200/0] via 192 (recursive via 172, port1), 3d08h26m, [1/0]
B *> 192 via 66 (recursive via 172, port1), 3d08h26m, [1/0]
B *> 192 [200/0] via 66 (recursive via 172, port1), 3d08h26m, [1/0]

Yurisk · ‎05-27-2025

I see, then I\d start with:

See if all peers are in Established state: get router info bgp summary/get router info bgp neighbors
See if there are any BGP learned routes: get router info routing-table bgp
Make sure you are receiving routes from BGP peers: get router info bgp neighbors x.x.x.x routes and sending routes get router info bgp neighbors x.x.x.x advertised-routes
Finally, if all above works, see if BGP routes are learned but not installed into FIB: get router info routing database - if you see BGp routes without the * (asterisk) means local FGT learns the routes but for some reason (should be shown as well) does not install them into FIB (like unresolved next hop, or you have static routes to the same networks etc)

https://yurisk.info

EM_Fortiuser · ‎05-27-2025

Both neighbors shows established. As you can see from my other post above its routing out port1 (wan) but not over the Site to Site

Yurisk · ‎05-27-2025

Do you have static routes to the same networks advertised via BGP configured ?

https://yurisk.info

Firewall Policy not honoring BGP learned routes

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website