Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Bman854
New Contributor II

Created on ‎05-16-2024 06:12 AM

FortiGate stripping BGP TCP option 19

Dear Comunity,

how to configure my FortiGate (FortiOS 7.2.8) to not stripping TCP option 19 (used for BGP MD5 authentication)? The same problem is in the Cisco world as well and it is nicely explained (with solution) here: https://learningnetwork.cisco.com/s/article/how-to-allow-ebgp-md5-authentication-when-asa-firewall-i... I am looking for the same solution. Until I figure it down, I can't replace the Cisco ASA used in the production.

 

Best Regards

Bm

Labels:
1247
0 Kudos
2 Solutions
Toshi_Esumi
SuperUser
SuperUser

Created on ‎05-16-2024 08:48 AM Edited on ‎05-16-2024 08:55 AM

Are you sure it's stripped? This KB doesn't say it would.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-and-troubleshoot-BGP-MD5-...

Toshi

View solution in original post

1214
fricci_FTNT
Staff
Staff

Created on ‎05-17-2024 03:04 AM Edited on ‎05-17-2024 03:07 AM

Hi @Bman854 ,

 

I have tested it in lab and the Fortigate does not strip the TCP option 19 used for MD5 authentication between two eBGP peers. Peering has been established and it works as expected.

Lab scenario:
[FGT-eBGP-peer-01] <------> [FGT-(FOS_7.2.8)] <------> [FGT-eBGP-peer-02]

Please see the following screenshot from pcap ran on FortiGate FGT-[FOS_7.2.8] :

Community_BGP_TCPoption19.PNG

 

Hope this helps.

Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.

View solution in original post

1156
6 REPLIES 6
Toshi_Esumi
SuperUser
SuperUser

Created on ‎05-16-2024 08:48 AM Edited on ‎05-16-2024 08:55 AM

Are you sure it's stripped? This KB doesn't say it would.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-and-troubleshoot-BGP-MD5-...

Toshi

1215
fricci_FTNT
Staff
Staff

Created on ‎05-17-2024 03:04 AM Edited on ‎05-17-2024 03:07 AM

Hi @Bman854 ,

 

I have tested it in lab and the Fortigate does not strip the TCP option 19 used for MD5 authentication between two eBGP peers. Peering has been established and it works as expected.

Lab scenario:
[FGT-eBGP-peer-01] <------> [FGT-(FOS_7.2.8)] <------> [FGT-eBGP-peer-02]

Please see the following screenshot from pcap ran on FortiGate FGT-[FOS_7.2.8] :

Community_BGP_TCPoption19.PNG

 

Hope this helps.

Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
1157
Bman854
New Contributor II

Created on ‎05-20-2024 12:14 AM

Thank you for the lab test and link to the doc!

 

I've scheduled another test in production this week, so I will let you know about the result. If I sniff the data going through the FG box, can I see also the data on the outgoing side (to be sure about that like in your packet capture) from the FG? Or the only possible way is to sniff the destionation.

 

Regards

1077
0 Kudos
fricci_FTNT
Staff
Staff
In response to Bman854

Created on ‎05-20-2024 02:17 AM Edited on ‎05-20-2024 03:25 AM

Hi @Bman854 ,

In my packet capture I ran the command:

diagnose sniffer packet any 'host x.x.x.x and host y.y.y.y and port 179' 6 0 l

then converted it to a Wireshark readable format.

 

Regarding your question:
>>If I sniff the data going through the FG box, can I see also the data on the outgoing side (to be sure about that like in your packet capture) from the FG?

If I understood correctly you want to see the packets leaving the FortiGate, right? Bear in mind that the packets that you see in the sniffer command are the packets elaborated by the FortiGate CPU. If you want to see the packets that are actually leaving the FortiGate at a physical interface level you can use the specific command "diag span-sniffer packet sw:portX ...." where portX is the outgoing interface on the FortiGate. If you use VLANs, the filter may be not trivial. You may find the article below useful:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-capture-packet-traffic-at-the-physi...
Alternatively you could capture/span the traffic on the switchport connected to the specific outgoing Fortigate interface (possibly filtering the traffic to avoid a huge amount of data).


Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
1056
Bman854
New Contributor II
In response to fricci_FTNT

Created on ‎05-20-2024 06:13 AM

Yep, exactly, thanks for the info! IMHO to see, whether the auth. part is stripped or not can be decided only from sniffed traffic going out of the box. And yes, I have VLANs there, so I will have to define the filter precisely. Unfortunately the links are 10Gb optics, so taping (HW sniffing) them isn't a possible option for me :)

1035
Bman854
New Contributor II

Created on ‎06-14-2024 04:15 AM

It took a little longer to migrate, but it's already done and BGP session is OK. So there has to be some other problem, why the previous migration failed on BGP. The Question can be closed. Thank you very much for your time!

776
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.