Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Bman854
New Contributor II

FortiGate stripping BGP TCP option 19

Dear Comunity,

how to configure my FortiGate (FortiOS 7.2.8) to not stripping TCP option 19 (used for BGP MD5 authentication)? The same problem is in the Cisco world as well and it is nicely explained (with solution) here: https://learningnetwork.cisco.com/s/article/how-to-allow-ebgp-md5-authentication-when-asa-firewall-i... I am looking for the same solution. Until I figure it down, I can't replace the Cisco ASA used in the production.

 

Best Regards

Bm

5 REPLIES 5
Toshi_Esumi
SuperUser
SuperUser

fricci_FTNT
Staff
Staff

Hi @Bman854 ,

 

I have tested it in lab and the Fortigate does not strip the TCP option 19 used for MD5 authentication between two eBGP peers. Peering has been established and it works as expected.

Lab scenario:
[FGT-eBGP-peer-01] <------> [FGT-(FOS_7.2.8)] <------> [FGT-eBGP-peer-02]

Please see the following screenshot from pcap ran on FortiGate FGT-[FOS_7.2.8] :

Community_BGP_TCPoption19.PNG

 

Hope this helps.

Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
Bman854
New Contributor II

Thank you for the lab test and link to the doc!

 

I've scheduled another test in production this week, so I will let you know about the result. If I sniff the data going through the FG box, can I see also the data on the outgoing side (to be sure about that like in your packet capture) from the FG? Or the only possible way is to sniff the destionation.

 

Regards

fricci_FTNT

Hi @Bman854 ,

In my packet capture I ran the command:

diagnose sniffer packet any 'host x.x.x.x and host y.y.y.y and port 179' 6 0 l

then converted it to a Wireshark readable format.

 

Regarding your question:
>>If I sniff the data going through the FG box, can I see also the data on the outgoing side (to be sure about that like in your packet capture) from the FG?

If I understood correctly you want to see the packets leaving the FortiGate, right? Bear in mind that the packets that you see in the sniffer command are the packets elaborated by the FortiGate CPU. If you want to see the packets that are actually leaving the FortiGate at a physical interface level you can use the specific command "diag span-sniffer packet sw:portX ...." where portX is the outgoing interface on the FortiGate. If you use VLANs, the filter may be not trivial. You may find the article below useful:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-capture-packet-traffic-at-the-physi...
Alternatively you could capture/span the traffic on the switchport connected to the specific outgoing Fortigate interface (possibly filtering the traffic to avoid a huge amount of data).


Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
Bman854
New Contributor II

Yep, exactly, thanks for the info! IMHO to see, whether the auth. part is stripped or not can be decided only from sniffed traffic going out of the box. And yes, I have VLANs there, so I will have to define the filter precisely. Unfortunately the links are 10Gb optics, so taping (HW sniffing) them isn't a possible option for me :)

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors