Dear Comunity,
how to configure my FortiGate (FortiOS 7.2.8) to not stripping TCP option 19 (used for BGP MD5 authentication)? The same problem is in the Cisco world as well and it is nicely explained (with solution) here: https://learningnetwork.cisco.com/s/article/how-to-allow-ebgp-md5-authentication-when-asa-firewall-i... I am looking for the same solution. Until I figure it down, I can't replace the Cisco ASA used in the production.
Best Regards
Bm
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Are you sure it's stripped? This KB doesn't say it would.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-and-troubleshoot-BGP-MD5-...
Toshi
Hi @Bman854 ,
I have tested it in lab and the Fortigate does not strip the TCP option 19 used for MD5 authentication between two eBGP peers. Peering has been established and it works as expected.
Lab scenario:
[FGT-eBGP-peer-01] <------> [FGT-(FOS_7.2.8)] <------> [FGT-eBGP-peer-02]
Please see the following screenshot from pcap ran on FortiGate FGT-[FOS_7.2.8] :
Hope this helps.
Best regards,
Are you sure it's stripped? This KB doesn't say it would.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-and-troubleshoot-BGP-MD5-...
Toshi
Hi @Bman854 ,
I have tested it in lab and the Fortigate does not strip the TCP option 19 used for MD5 authentication between two eBGP peers. Peering has been established and it works as expected.
Lab scenario:
[FGT-eBGP-peer-01] <------> [FGT-(FOS_7.2.8)] <------> [FGT-eBGP-peer-02]
Please see the following screenshot from pcap ran on FortiGate FGT-[FOS_7.2.8] :
Hope this helps.
Best regards,
Thank you for the lab test and link to the doc!
I've scheduled another test in production this week, so I will let you know about the result. If I sniff the data going through the FG box, can I see also the data on the outgoing side (to be sure about that like in your packet capture) from the FG? Or the only possible way is to sniff the destionation.
Regards
Created on 05-20-2024 02:17 AM Edited on 05-20-2024 03:25 AM
Hi @Bman854 ,
In my packet capture I ran the command:
diagnose sniffer packet any 'host x.x.x.x and host y.y.y.y and port 179' 6 0 l
then converted it to a Wireshark readable format.
Regarding your question:
>>If I sniff the data going through the FG box, can I see also the data on the outgoing side (to be sure about that like in your packet capture) from the FG?
If I understood correctly you want to see the packets leaving the FortiGate, right? Bear in mind that the packets that you see in the sniffer command are the packets elaborated by the FortiGate CPU. If you want to see the packets that are actually leaving the FortiGate at a physical interface level you can use the specific command "diag span-sniffer packet sw:portX ...." where portX is the outgoing interface on the FortiGate. If you use VLANs, the filter may be not trivial. You may find the article below useful:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-capture-packet-traffic-at-the-physi...
Alternatively you could capture/span the traffic on the switchport connected to the specific outgoing Fortigate interface (possibly filtering the traffic to avoid a huge amount of data).
Best regards,
Yep, exactly, thanks for the info! IMHO to see, whether the auth. part is stripped or not can be decided only from sniffed traffic going out of the box. And yes, I have VLANs there, so I will have to define the filter precisely. Unfortunately the links are 10Gb optics, so taping (HW sniffing) them isn't a possible option for me :)
It took a little longer to migrate, but it's already done and BGP session is OK. So there has to be some other problem, why the previous migration failed on BGP. The Question can be closed. Thank you very much for your time!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1031 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.