Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JosephG
New Contributor

Created on ‎02-02-2025 04:52 AM Edited on ‎02-02-2025 05:22 AM

Fortigate BGP not working as expected.

So I have the below setup.
Example.drawio.png

Fortigate
Interfaces
aggregateinterf: IP 172.19.0.6 255.255.255.248. No Vlan.

MGMT: IP 192.168.183.58 255.255.255.192, VLAN 200, Parent: aggregateinterf
CCTV: IP 192.168.183.190 255.255.255.192, VLAN 250, Parent: aggregateinterf.

Switch

VRF WAN
VRF LAN
VRF MGMT

VRF CCTV


SVI: WAN, IP 172.19.0.2/29, VRF WAN, VLAN 101.

SVI: CCTV, IP 192.168.183.130/26, VRF CCTV, VLAN 250

SVI MGMT, IP 192.168.183.2/26, VRF MGMT, VLAN 200
SVI: LAN1, IP 192.168.168.1/24, VRF LAN, VLAN 300
SVI: LAN2, IP 192.168.169.1/24, VRF LAN, VLAN 301

 

On the switch, I leak the routes between LAN and WAN.


I have BGP peering from the switch as below.
VRF WAN to aggregateinterf, 172.19.0.6/29
VRF MGMT to MGMT vlan, 192.168.183.58/26

 

Now BGP is established and I can see the fortigate as the default route.
The issue I am having is, the fortigate is not advertising each interfaces connected route to the other VRFs on the switch.

in the outgoing routes, I would expect the below
neighour on aggregateinterf
0.0.0.0/0 via 172.16.0.6
192.168.183.0/26 via 172.16.0.6

192.168.183.128/26 via 172.16.0.6

 

neighbour on vlan MGMT

0.0.0.0/0 via 192.168.183.58

172.19.0.0/29 via 192.168.183.58

192.168.183.128/26 via 192.168.183.58

 

 

What I actually get is below.

neighour on aggregateinterf
0.0.0.0/0 via 172.16.0.6

 

neighbour on vlan MGMT

0.0.0.0/0 via 192.168.183.58

 

 

Config is below.

LAB-FW # show router prefix-list
config router prefix-list
edit "MGMT-OUT"
config rule
edit 1
set prefix 192.168.183.64 255.255.255.192
unset ge
unset le
next
end
next
edit "LAN-OUT"
config rule
edit 1
set prefix 192.168.183.0 255.255.255.0
unset ge
unset le
next
end
next
end

LAB-FW # show router route-map
config router route-map
edit "MGMT-OUT"
config rule
edit 1
set match-ip-address "MGMT-OUT"
next
end
next
edit "LAN-OUT"
config rule
edit 1
set match-ip-address "LAN-OUT"
next
end
next
end

LAB-FW # show router bgp
config router bgp
set as 65000
set router-id 172.16.0.6
set ebgp-multipath enable
set cluster-id 172.16.0.6
config neighbor
edit "172.19.0.2"
set capability-default-originate enable
set interface "aggregateinterf"
set remote-as 64600
set route-map-out "LAN-OUT"
set keep-alive-timer 2
set holdtime-timer 10
next
edit "192.168.183.2"
set capability-default-originate enable
set interface "MGMT"
set remote-as 64600
set route-map-out "MGMT-OUT"
set keep-alive-timer 2
set holdtime-timer 10
end
end
config network
edit 1
set prefix 192.168.0.0 255.255.0.0
next
end
config network6
edit 1
set prefix6 ::/128
next
end
config redistribute "connected"
set status enable
end
config redistribute "rip"
end
config redistribute "ospf"
end
config redistribute "static"
end
config redistribute "isis"
end
config redistribute6 "connected"
end
config redistribute6 "rip"
end
config redistribute6 "ospf"
end
config redistribute6 "static"
end
config redistribute6 "isis"
end
end

LAB-FW # get router info bgp neighbors 172.19.0.2 advertised-routes
VRF 0 BGP table version is 4, local router ID is 172.16.0.6
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path
*> 0.0.0.0/0 172.19.0.6 100 32768 0 i <-/->

Total number of prefixes 1

 

LAB-FW # get router info bgp neighbors 192.168.183.2 advertised-routes
VRF 0 BGP table version is 3, local router ID is 172.16.0.6
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path
*> 0.0.0.0/0 192.168.183.58 100 32768 0 i <-/->

Total number of prefixes 1

 

LAB-FW # show system interface
config system interface
edit "aggregateinterf"
set vdom "root"
set ip 172.19.0.6 255.255.255.248
set allowaccess ping snmp fgfm
set type aggregate
set member "port1" "port2"
set device-identification enable
set device-user-identification disable
set lldp-reception enable
set lldp-transmission enable
set role lan
set snmp-index 15
next
edit "MGMT"
set vdom "root"
set ip 192.168.183.58 255.255.255.192
set allowaccess ping https ssh http fgfm
set alias "MGMT"
set device-identification enable
set role lan
set snmp-index 16
set interface "aggregateinterf"
set vlanid 200
next
edit "CCTV"
set vdom "root"
set ip 192.168.183.190 255.255.255.192
set allowaccess ping
set alias "CCTV"
set device-identification enable
set role lan
set snmp-index 17
set interface "aggregateinterf"
set vlanid 250
next
end

Labels:
117
0 Kudos
1 REPLY 1
ebilcari
Staff
Staff

Created on ‎02-04-2025 05:01 AM

I think the issue is related to the prefix in 'config network' configuration, more details can be found here.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
101
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.