- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: FortiGate BGP Route leaks
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiGate BGP Route leaks
Hi, I am hoping someone may be able to help. I currently have BGP peers set up for the Internal network and then the DMZ, separate VRFs in the DC but same VRF on the FortiGate.
Servers in the DMZ currently can’t access the internal networks because they are not learning the routes so I need to leak the learned routes from the Internal BGP peers so traffic coming from the DMZ knows which way to route via the FortiGate.
I can see the DMZ traffic hitting the DMZ interface but then not traversing the firewall. IPv4 policies are in place.
I’ve been reading forums and the advice is route-maps but unsure how to go about this.
Any help would be greatly appreciated.
showbox speed test
Labels:
- Labels:
-
FortiGate
21 REPLIES 21
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Adrian, so I would still be in the situation that I would have to specify every route that should be passed from the Internal VRF to the DMZ VRF in a route-map as it would show in the routing table so each subnet, not able to just allow all to be leaked.
At the moment I have the peers configured but no route-maps. Would you be able to show the examples of the route-maps please?
Adam
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi.
Well, with the route-maps you can do whatever you want. In prefix-list used in route-map you can either list of the prefixes you want to use or you can use keyword any and it should leak all routes from one VRF to another.
Adrian
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Adrian, I shall have a look at how I configure the route-maps based on my configuration without VRFs on the FortiGate and then creating those route-leaks between Internal and DMZ and then the default route from External to DMZ.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By the way, why do you need to separate both sides with FGT's VRFs? Are there any route overlaps between them? Generally policies are the ones isolate DMZ from internal and external network.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Toshi,
Unsure whether this question is aimed at me but at the moment I don't have VRFs created on the FortiGate. I have VRFs configured on our ACI DC infrastructure that then connect into the FortiGate. This is where I then need to allow routes to traverse the FortiGate so the DMZ knows to route traffic internally and everything else via the Internet. I'm trying not to create VRFs on the FortiGate as well, just allow the DMZ servers to learn where to send the traffic.
Adam
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see I misunderstood your original statement. So from FGT's view it's get a plain IP (or vlan tagged) packets from outside. Then this design has nothing to do with VRF at all.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not on the VRF No. Different VLANs (on the FortiGate) providing access to specific networks with routes being learned via BGP Peers.
I just need the DMZ servers to learn all the routes the FortiGate is learning from "10.9.4.17" [Internal Peer] and "10.9.4.18" [Internal Peer] and then learn the default route via "26.98.214.220" [External Peer] and "26.98.214.221" [External Peer].
Still trying to get my head around exactly how I configure this and I'm really trying not to just set up static routes with local preference when we're using BGP for resilience everywhere else.
Adam
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are these iBGP or eBGP peers? If eBGPs each other, all routes coming from one side will be forwarded to all other neighbors. So I'm assuming you set the same ASN for iBGP, which would cause this kind of situation if those "DMZ" peer and "internal" peers don't be neighboring directly each others in mesh. You need to use eBGP.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Toshi, I didn't specify iBGP or eBGP, just used the BGP GUI to set up the peers so I assume the default is iBGP. Is there a way of changing the default so then all the current settings will switch to eBGP?
Adam
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For BGP config, GUI is very limited. We almost always have to configure in CLI. Most of the config is under "config router bgp" except route-maps, prefix-list and community-list. First check what's in there to see how its own ASN and neighbors' are configured. "show" will show you all once you got in the config router bgp. Then you can adjust the ASNs. But you have to change them on the peer sides as well.
Related Posts
- Decommissioning a FG 200D and migrating... 74 Views
- Dual ISP SD-WAN load balancing and... 109 Views
- Manage FortiGate from FortiManager 162 Views
- SD-WAN problem Fortimanager 184 Views
- Azure vnet-vnet traffic via FGT A/P... 241 Views
Labels
-
FortiGate
6,909 -
FortiClient
1,364 -
5.2
801 -
5.4
639 -
FortiManager
597 -
FortiAnalyzer
435 -
6.0
416 -
5.6
362 -
FortiAP
361 -
FortiSwitch
357 -
FortiClient EMS
278 -
FortiMail
269 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
168 -
6.4
128 -
FortiNAC
120 -
FortiGuard
110 -
IPsec
96 -
FortiGateCloud
91 -
FortiSIEM
91 -
FortiCloud Products
85 -
SSL-VPN
82 -
FortiToken
75 -
Customer Service
70 -
4.0MR3
64 -
Wireless Controller
63 -
FortiProxy
48 -
FortiADC
45 -
FortiEDR
42 -
SD-WAN
41 -
Fortivoice
41 -
FortiDNS
36 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiSandbox
33 -
FortiSwitch v6.4
32 -
Firewall policy
31 -
VLAN
27 -
High Availability
27 -
FortiAuthenticator
26 -
FortiConnect
24 -
FortiWAN
23 -
FortiConverter
21 -
ZTNA
20 -
DNS
18 -
FortiPortal
18 -
FortiSwitch v6.2
17 -
SAML
17 -
FortiGate v5.2
17 -
LDAP
17 -
Certificate
17 -
BGP
16 -
VDOM
16 -
FortiMonitor
14 -
Interface
14 -
Logging
14 -
Authentication
13 -
FortiGate v5.0
13 -
FortiLink
13 -
Routing
13 -
FortiCASB
13 -
FortiDDoS
13 -
NAT
11 -
RADIUS
10 -
SSL SSH inspection
10 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Fortigate Cloud
9 -
4.0MR2
9 -
SSID
8 -
Application control
8 -
FortiGate v4.0 MR3
8 -
IP address management - IPAM
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiBridge
7 -
WAN optimization
7 -
SNMP
7 -
Web profile
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Traffic shaping policy
6 -
Web application firewall profile
6 -
Proxy policy
5 -
Packet capture
5 -
FortiAP profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Antivirus profile
4 -
Automation
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
trunk
4 -
Port policy
4 -
FortiDeceptor
3 -
Fortinet Engage Partner Program
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
FortiPAM
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Users
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Fabric connector
2 -
Netflow
2 -
Multicast routing
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Explicit proxy
1 -
Zone
1
Top Kudoed Authors
| User | Count |
|---|---|
| 983 | |
| 820 | |
| 446 | |
| 440 | |
| 131 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.