Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ncat
New Contributor II

Created on ‎06-09-2024 04:40 PM

FortiGate6.2 BGP filter

 

ncat.png【background】
 I'M TRYING TO CONNECT THE THREE LOCATIONS WITH IPSEC AND ROUTE THEM USING BGP.
【Prerequisite configuration】
 All locations are Fortigate 50E using OS 6.2
 - FOR A DIRECT IPSEC ROUTE WITH AS65001<->AS65002, ALL SUBORDINATE SEGMENTS ARE LISTED IN THE ROUTING TABLE.
 - IPSEC routes between AS65001<->AS65010 / AS65002<->AS65010 are also listed in the routing table for all subordinate segments.
 - When going through a AS65010 such as AS65001<->AS65010<->AS65002, routing information should not flow to AS65001 and AS65002.
【question】
 - Assuming that BGP is used for routing, what kind of settings should be made to "When routing via AS65010 such as AS65001<->AS65010<->AS65002, routing information should not flow between AS65001 and AS65002."?

Labels:
324
0 Kudos
2 Solutions
adimailig
Staff
Staff
In response to ncat

Created on ‎06-09-2024 06:17 PM

@ncat 

You may refer to below guide for CLI configuration
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Create-an-Access-list-on-a-Route-Map-that-...

Best Regards,

Arnold Dimailig
TAC Engineer

View solution in original post

282
Toshi_Esumi
SuperUser
SuperUser

Created on ‎06-09-2024 10:43 PM Edited on ‎06-09-2024 11:01 PM

You don't have to do anything special since simple triangle topology with different AS at three sites.

At AS=65001, it would get 192.168.20.0/24 from both AS=65002 and AS=65010. However, the AS path is different between them:
- AS=65002 route's AS path: 65002
- AS=65010 route's AS path: 65010 65002
Due to 4) in the route selection rules below:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-BGP-route-selection-process/ta-p/195932
AS=65001 chooses AS=65002 route as the best route (shortest AS path).

The same goes with all other routes at both 65001 and 65002.

Toshi

View solution in original post

232
7 REPLIES 7
adimailig
Staff
Staff

Created on ‎06-09-2024 04:54 PM

@ncat 

You may refer to below guide on how to block/deny advertisement of specific routes to your peer.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-Block-Advertising-and-Receiving-of-...

Best Regards,

Arnold Dimailig
TAC Engineer
311
ncat
New Contributor II
In response to adimailig

Created on ‎06-09-2024 05:06 PM

@adimailig 

Thanks for the answer.
I checked the GUI as you said, but there is no place where you can set it.
I think it's probably because I'm using FortiOS 6.2 and a slightly older OS, but with the corresponding OS
Is there a way to set it up? (I'm thinking it's probably going to be a CUI setting.)

297
adimailig
Staff
Staff
In response to ncat

Created on ‎06-09-2024 06:17 PM

@ncat 

You may refer to below guide for CLI configuration
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Create-an-Access-list-on-a-Route-Map-that-...

Best Regards,

Arnold Dimailig
TAC Engineer
283
ncat
New Contributor II
In response to adimailig

Created on ‎06-11-2024 02:54 AM

Thanks for the answer. Since it was successfully filtered, this matter will be closed. Thanks

177
0 Kudos
adimailig
Staff
Staff
In response to ncat

Created on ‎06-11-2024 02:55 AM

Glad to help @ncat .
Thank you.

Best Regards,

Arnold Dimailig
TAC Engineer
173
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎06-09-2024 10:43 PM Edited on ‎06-09-2024 11:01 PM

You don't have to do anything special since simple triangle topology with different AS at three sites.

At AS=65001, it would get 192.168.20.0/24 from both AS=65002 and AS=65010. However, the AS path is different between them:
- AS=65002 route's AS path: 65002
- AS=65010 route's AS path: 65010 65002
Due to 4) in the route selection rules below:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-BGP-route-selection-process/ta-p/195932
AS=65001 chooses AS=65002 route as the best route (shortest AS path).

The same goes with all other routes at both 65001 and 65002.

Toshi

233
ncat
New Contributor II
In response to Toshi_Esumi

Created on ‎06-11-2024 02:53 AM

Thanks for the answer. Since it was successfully filtered, this matter will be closed, but I learned again from the movement of BGP.

179
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.