Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dditahi
New Contributor

Created on ‎12-01-2025 02:13 AM

Forti Manager - BGP Prefix Lists ge / le buggy?

Hi there,
we are working with multiple IPv4 subnets in the area 10.98.0.0/19 but we're configuring them on multiple interfaces as multiple networks with subnet lenght 26.

I'd like to add a filter to the prefix list - In Bird2 you can work with greater than equal or less than equal like 10.98.0.0/16{26,26}

I tried the same on forti manager, I've added a an entry to the prefix list and entered 26 as prefix length in both greater than and less than. But it throws an error:

Screenshot 2025-12-01 111100.png

I don't understand quite right, as it keeps telling me "Greather than" must be greater than prefix (met) and less than or equal than "less than" (which is met as it's equal to it)...

What am I missing?

Labels:
54
0 Kudos
4 REPLIES 4
funkylicious
SuperUser
SuperUser

Created on ‎12-01-2025 03:49 AM Edited on ‎12-01-2025 03:52 AM

hi,

please have a read at https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-combine-operators-ge-and-le-in-pref... 

in your prefix-list, have specified already the /26 mask, therefore ge 26 and le 26 doesnt make any sense.

if you desire only the /26 mask then leave le/ge blank since specify ( equal ) is already selected, otherwise use a longer ( /19 ) subnet/prefix and follow the example in the KB.

"jack of all trades, master of none"
"jack of all trades, master of none"
43
dditahi
New Contributor

Created on ‎12-01-2025 03:57 AM

Thanks - but i have multiple Prefixes /26 in the range 10.98.0.0/20

means: 10.98.0.0/26, 10.98.0.64/26, 10.98.0.128/26, 10.98.0.192/26, ... (there are in summary arround 40 small networks)

How can I allow to accept any route that meets this criteria, means if it's in 10.98.0.0/20 and it's a /26 accept it.

Hence - If i set only ge 26 i allow also networks announces as /25, /24, /23, /22, /21, /20 - and if set only le than i allow also /32, /31, /30, /29, /28, /27. 

And if I leave these empty to just say 10.98.0.0/26 it's only this one subnet.

40
0 Kudos
funkylicious
SuperUser
SuperUser
In response to dditahi

Created on ‎12-01-2025 04:09 AM Edited on ‎12-01-2025 04:13 AM

10.98.0.0/20 le 27 ge 26 should get you what you want.

L.E. or try 10.98.0.0/20 le 26 ge 26

"jack of all trades, master of none"
"jack of all trades, master of none"
33
Toshi_Esumi
SuperUser
SuperUser

Created on ‎12-01-2025 10:20 AM

I think you're thinking 'ge' and 'le' in opposite direction. ge 26 = /26+/27+/28+/29+/30+/31+/32.
The CLI guide says below:

ge

Minimum prefix length to be matched.

integer

Minimum value: 0 Maximum value: 32

 

le

Maximum prefix length to be matched.

integer

Minimum value: 0 Maximum value: 32

 


And those GUI's descriptions are not accurate. They're "greater or equal" and "less or equal" just like Cisco's.
If you want to block those other than /26s, you might need to have two clauses. 

edit 1

  set action deny

  set prefix 10.98.0.0/20
  set ge 27

  unset le

next

edit 2

  set action permit

  set prefix 10.98.0.0/20
  set ge 26
  unset le
next

You can easily translate this to GUI.

Toshi

8
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.