So I have the below setup.
Fortigate
Interfaces
aggregateinterf: IP 172.19.0.6 255.255.255.248. No Vlan.
MGMT: IP 192.168.183.58 255.255.255.192, VLAN 200, Parent: aggregateinterf
CCTV: IP 192.168.183.190 255.255.255.192, VLAN 250, Parent: aggregateinterf.
Switch
VRF WAN
VRF LAN
VRF MGMT
VRF CCTV
SVI: WAN, IP 172.19.0.2/29, VRF WAN, VLAN 101.
SVI: CCTV, IP 192.168.183.130/26, VRF CCTV, VLAN 250
SVI MGMT, IP 192.168.183.2/26, VRF MGMT, VLAN 200
SVI: LAN1, IP 192.168.168.1/24, VRF LAN, VLAN 300
SVI: LAN2, IP 192.168.169.1/24, VRF LAN, VLAN 301
On the switch, I leak the routes between LAN and WAN.
I have BGP peering from the switch as below.
VRF WAN to aggregateinterf, 172.19.0.6/29
VRF MGMT to MGMT vlan, 192.168.183.58/26
Now BGP is established and I can see the fortigate as the default route.
The issue I am having is, the fortigate is not advertising each interfaces connected route to the other VRFs on the switch.
in the outgoing routes, I would expect the below
neighour on aggregateinterf
0.0.0.0/0 via 172.16.0.6
192.168.183.0/26 via 172.16.0.6
192.168.183.128/26 via 172.16.0.6
neighbour on vlan MGMT
0.0.0.0/0 via 192.168.183.58
172.19.0.0/29 via 192.168.183.58
192.168.183.128/26 via 192.168.183.58
What I actually get is below.
neighour on aggregateinterf
0.0.0.0/0 via 172.16.0.6
neighbour on vlan MGMT
0.0.0.0/0 via 192.168.183.58
Config is below.
LAB-FW # show router prefix-list
config router prefix-list
edit "MGMT-OUT"
config rule
edit 1
set prefix 192.168.183.64 255.255.255.192
unset ge
unset le
next
end
next
edit "LAN-OUT"
config rule
edit 1
set prefix 192.168.183.0 255.255.255.0
unset ge
unset le
next
end
next
end
LAB-FW # show router route-map
config router route-map
edit "MGMT-OUT"
config rule
edit 1
set match-ip-address "MGMT-OUT"
next
end
next
edit "LAN-OUT"
config rule
edit 1
set match-ip-address "LAN-OUT"
next
end
next
end
LAB-FW # show router bgp
config router bgp
set as 65000
set router-id 172.16.0.6
set ebgp-multipath enable
set cluster-id 172.16.0.6
config neighbor
edit "172.19.0.2"
set capability-default-originate enable
set interface "aggregateinterf"
set remote-as 64600
set route-map-out "LAN-OUT"
set keep-alive-timer 2
set holdtime-timer 10
next
edit "192.168.183.2"
set capability-default-originate enable
set interface "MGMT"
set remote-as 64600
set route-map-out "MGMT-OUT"
set keep-alive-timer 2
set holdtime-timer 10
end
end
config network
edit 1
set prefix 192.168.0.0 255.255.0.0
next
end
config network6
edit 1
set prefix6 ::/128
next
end
config redistribute "connected"
set status enable
end
config redistribute "rip"
end
config redistribute "ospf"
end
config redistribute "static"
end
config redistribute "isis"
end
config redistribute6 "connected"
end
config redistribute6 "rip"
end
config redistribute6 "ospf"
end
config redistribute6 "static"
end
config redistribute6 "isis"
end
end
LAB-FW # get router info bgp neighbors 172.19.0.2 advertised-routes
VRF 0 BGP table version is 4, local router ID is 172.16.0.6
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
*> 0.0.0.0/0 172.19.0.6 100 32768 0 i <-/->
Total number of prefixes 1
LAB-FW # get router info bgp neighbors 192.168.183.2 advertised-routes
VRF 0 BGP table version is 3, local router ID is 172.16.0.6
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
*> 0.0.0.0/0 192.168.183.58 100 32768 0 i <-/->
Total number of prefixes 1
LAB-FW # show system interface
config system interface
edit "aggregateinterf"
set vdom "root"
set ip 172.19.0.6 255.255.255.248
set allowaccess ping snmp fgfm
set type aggregate
set member "port1" "port2"
set device-identification enable
set device-user-identification disable
set lldp-reception enable
set lldp-transmission enable
set role lan
set snmp-index 15
next
edit "MGMT"
set vdom "root"
set ip 192.168.183.58 255.255.255.192
set allowaccess ping https ssh http fgfm
set alias "MGMT"
set device-identification enable
set role lan
set snmp-index 16
set interface "aggregateinterf"
set vlanid 200
next
edit "CCTV"
set vdom "root"
set ip 192.168.183.190 255.255.255.192
set allowaccess ping
set alias "CCTV"
set device-identification enable
set role lan
set snmp-index 17
set interface "aggregateinterf"
set vlanid 250
next
end
I think the issue is related to the prefix in 'config network' configuration, more details can be found here.
 
					
				
				
			
		
| User | Count | 
|---|---|
| 2678 | |
| 1412 | |
| 810 | |
| 703 | |
| 455 | 
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.