FortiGate BGP Route leaks

smorty11 · ‎03-02-2022

Hi, I am hoping someone may be able to help. I currently have BGP peers set up for the Internal network and then the DMZ, separate VRFs in the DC but same VRF on the FortiGate.

Servers in the DMZ currently can’t access the internal networks because they are not learning the routes so I need to leak the learned routes from the Internal BGP peers so traffic coming from the DMZ knows which way to route via the FortiGate.

I can see the DMZ traffic hitting the DMZ interface but then not traversing the firewall. IPv4 policies are in place.

I’ve been reading forums and the advice is route-maps but unsure how to go about this.

Any help would be greatly appreciated.

showbox speed test

akristof · ‎03-02-2022

Hello,

Thank you for your question. You can check this kb:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Route-leaking-between-VRFs/ta-p/198702

It will show you how you can leak routes between VRFs. I think you will need to do anything on DC as it has different VRFs, on remote FortiGate no changes should be needed.

Adrian

Adam19892000 · ‎03-03-2022

Hi, I actually asked this question on Reddit yesterday which is odd. Reddit Post I’ve added some extra config.

Could I ask a couple of questions please.

At the moment I don’t have separate VRFs set up on the FortiGate. Is this a requirement?

The link you have provided, this is specifying specific routes but the FortiGate is learning all internal routes (quite a few) via the two Internal BGP Peers. Is there a way that I can allow the DMZ to learn all these in their entirety without specifying certain routes?

I could just put static routes of the supernets to point the traffic to the Internal ports and then a default route out to the Internet peers but trying to use BGP throughout for resilience purposes.

akristof · ‎03-03-2022

Hi,

VRFs are not mandatory. It usually is design decision that you want separate some traffic, but you don't want to use vdoms.

And in theory yes, you can use static default route to route all traffic outside of vrf. But then the point vrf is gone. Usually you want to leak only specific routes for specific traffic.

Adrian

Adam19892000 · ‎03-04-2022

Thanks Adrian, agreed but unfortunately some systems sat in the DMZ will require HTTPS access to all internal hosts so was aiming to secure internal access with policies but make sure the systems have the routes to route internally if allowed to do so.
Adam

akristof · ‎03-04-2022

Hello,

You can still do it. As you will use vdom-link for vrf leaking, you can limit and secure traffic with fw policies.

Adrian

Adam19892000 · ‎03-04-2022

If you have any examples of how I can configure it still utilising BGP that would be greatly appreciated. The DMZ and Internal are on the same VDOM.
Adam

akristof · ‎03-06-2022

Hello,

You can still use BGP for leaking, but you will need BGP established between vrfX and some other device and vrfY and some other device and then configure BGP leaking.

https://docs.fortinet.com/document/fortigate/7.0.1/administration-guide/834664/route-leaking-between...

Adrian

Adam19892000 · ‎03-07-2022

Hi Adrian,

We have the BGP peers configured between the FortiGate and the DC as below.

config router bgp
set as 65101
set network-import-check disable
config neighbor
edit "10.9.4.53" [Other Network Peer]
set remote-as 64627
next
edit "10.9.4.55" [Other Network Peer]
set remote-as 64628
next
edit "10.9.4.17" [Internal Peer]
set remote-as 65001
next
edit "10.9.4.18" [Internal Peer]
set remote-as 65001
next
edit "10.9.4.25" [DMZ Peer]
set remote-as 65002
next
edit "10.9.4.26" [DMZ Peer]
set remote-as 65002
next
edit "26.98.214.220" [External Peer]
set remote-as 64627
next
edit "26.98.214.221" [External Peer]
set remote-as 64628
next
end
config network
edit 2
set prefix 26.98.214.218 255.255.255.192 [External Range]
next
edit 3
set prefix 10.9.4.22 255.255.255.255
next
edit 4
set prefix 10.182.171.128 255.255.255.224 [VPN Range]
next
edit 5
set prefix 10.182.171.160 255.255.255.224 [VPN Range]
next
edit 6
set prefix 10.9.12.128 255.255.255.128 [DMZ Range]
next

We learn the default route via the external peer and Internal only learns the default route from the FortiGate and blocks all other routes.

I'm just struggling to work out how to configure the route leaking based on my own configuration.

Adam

akristof · ‎03-07-2022

Hello,

My example:

FortiGate-101F (root) # show router bgp
config router bgp
set as 65000
config neighbor
edit "10.109.21.49"
set soft-reconfiguration enable
set remote-as 65002
next
edit "10.20.1.50"
set ebgp-enforce-multihop enable
set soft-reconfiguration enable
set interface "port4"
set remote-as 65001
next
config vrf-leak
edit "0"
config target
edit "20"
set route-map "to_20"
set interface "vrf_leak0"
next
end
next
edit "20"
config target
edit "0"
set route-map "vrf20_0"

set interface "vrf_leak1"
next

Two neighbors are one over VRF0, second over VRF20.

From VRF 0 to VRF 20 I am allowing only 192.168.0.0/24. From VRF 20 to 0 I have route-map that denies everything, because I don't want any leak in that direction. But in order to leaking works, you needs to have both directions configured. And this is how it looks:

FortiGate-101F (root) # get router info routing-table all

Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.109.31.254, wan1, [1/0]
C 10.109.16.0/20 is directly connected, wan1
C 169.254.2.1/32 is directly connected, vrf_leak0
B 192.168.0.0/24 [20/0] via 10.109.21.49 (recursive is directly connected, wan1), 00:05:03
C 192.168.1.0/24 is directly connected, mgmt

Routing table for VRF=20
C 10.20.0.0/20 is directly connected, port4
C 169.254.2.2/32 is directly connected, vrf_leak1
B 192.168.0.0/24 [20/0] via 169.254.2.1, vrf_leak1, 00:01:19

I hope that it makes a bit clearer.

Adrian