HI All, May i know any possibility Stripping/hide All BGP AS-Path left FGT AS itself, that Similar PAN remove as-path function? for example to FGT BGP AS path AS 64525 (R1) <-> AS 64999 (FGT) <-> AS64888 (R3) For R3 may include other AS like 200,300 Currently Problem, it's see a lot AS path in R1 Router1 # get router info bgp nei x.x.x.x received-route Network Next Hop Metric LocPrf Weight RouteTag Path *> 10.22.22.0/24 10.90.1.2 0 0 64999 64888 200 300? <-/-> Target Achieve - Left FGT AS itself/hide other AS path in bgp table. Router1 # get router info bgp nei x.x.x.x received-route Network Next Hop Metric LocPrf Weight RouteTag Path *> 10.22.22.0/24 10.90.1.2 0 0 64999 ? <-/-> Is that possible FGT able to achieve it? Anyone have idea, please assist it
I haven't done it myself but found below with a simple Internet(Google) search.
HI Toshi Esumi,
Finally someone response the topic.
Thanks for reply and information with the link.
Unfortunately, the link don't include how to strip/hide the AS-path include private and public. In my case similar the scenario 2. I' wondering is there anyway can achieve it in fortigate firewall or it's fortigate feature limitation. In PAN or cisco, they are able completed hide/strip AS-path include private and public.
If anyone of you or fortinet employee know there is other way could achieve it or FGT feature limitation, please share with it. I'm appreciate it.
Why would you strip a public AS from a AS_path string? I don't think I ever heard of anybody removing a public-as_path and replacing it, we typically drop the prefix from that path or d-preference it to a ridiculous value like 1 or 10 if you have other bgp routes for that same destination.
As far as removing private-as, you should be able to do that per-neighbor statement that KB seems to be incorrect and the 1st example does have a mix of public-private ASN
I would test it for sure and grab the received prefixes after applying. ken Felix
PCNSE
NSE
StrongSwan
Probably Ken can tell exactly how it would work, but based on the description in the KB, if the patterns of AS path you want to remove are not too many or at least they should have only a few in the immediate neighbors, I would assume you could match those with regex described in senario2 then replace it with NULL. Or in the worst case you can at least prepend with 64999.
Unless R1 has different paths to get to 64999, that additional/duplicate 64999 shouldn't affect R1's routing decisions.
In any case, if I were you I would just open a ticket with TAC to ask. Then you can get exact answers you want to know.
Toshi
Here's what happens, see the diagram it shows the priv-AS65001 peering with 5706 who peers with ATT and NTT, with the remote-priavte-as on 5706 neighbor statement, I will drop the 65001 on any update that it sends to ATT 7018 or NTT 2914
So the BGP update from 192.0.2.1/31 does not need to be aware of this, this happening upstream at the ISP on the edge. We do exactly the above in my day job fwiw to avoid leaking private 65412-65535 into the global BGP table
Ken Felix
PCNSE
NSE
StrongSwan
HI @Toshi Esumi
You are make a good point. As i mentioned, my case like scenario 2, my R3 include public AS and Private AS and advertised out to FGT and R1 received the path. "Removing private-as" will not work if the unit include public and private. Also, i did log case to TAC, unfortunately, the response is slow.
HI @Ken Felix,
We need it the feature due to PAN migration to FGT. In PAN, there is feature call "Remove". In R3 include public AS and Private AS, PAN able to removed it and R1 only see PAN AS number which is 64999 only (currently going replace FGT). You may refer the attachment of PAN. Without remove it, R1 will see one more path in the BGP table which is cause delay or one more path to go. Below include the table example.
Yeah, the method of KB will work with your diagram with separate unit point to AS5706 (Assume it's my FGT(64999)). Unfortunately, my case is R3 include public As and itself private AS. Please see the attachment on next post
I try to achieve below.
Currently Problem, it's see a lot AS path in R1 Router1 # get router info bgp nei x.x.x.x received-route Network Next Hop Metric LocPrf Weight RouteTag Path
*> 10.22.22.0/24 10.90.1.2 0 0 64111 64888 200 300? <-/->
*> 10.22.22.0/24 10.90.1.2 0 0 64111 64888 200 300? <-/->
Apply the KB article with scenario 2, There is duplicate or one more path in R1
Router1 # get router info bgp nei x.x.x.x received-route Network Next Hop Metric LocPrf Weight RouteTag Path
*> 10.22.22.0/24 10.90.1.2 0 0 64111 64111? <-/->
*> 10.22.22.0/24 10.90.1.2 0 0 64111 64111 ? <-/->
Target Achieve - Only show FGT itself ASN instead include R3 (private and public AS) (it's work in PAN) Router1 # get router info bgp nei x.x.x.x received-route Network Next Hop Metric LocPrf Weight RouteTag Path
*> 10.22.22.0/24 10.90.1.2 0 0 64111 ? <-/->
*> 10.22.22.0/24 10.90.1.2 0 0 64111 ? <-/->
So, I also would want to know anyone know there is other way could achieve it or confirm it FGT feature limitation. If it's limitation, i may think other way to solved it instead.
I'm appreciate it, if anyone of you could give me know.
If the FGT is the only next hop for R1 to reach R3 and R4, there is no difference if R1 sees the route with one AS hop (not path) or 2 or 3 AS hops in the path. Only if another router R5 or FGT2 provides the second path from R1 to reach R3, or R4 directly, bypassing FGT/6499, R1 compares two routes with the AS hop counts, then if one has one hop (6499) and the other has 3 hops (65xx 6488 200), the first route is the winner as long as other metrics are tie.
I still believe you can remove those if you still want to remove them with the aspath-list and route-map in much more flexible way. You will here from TAC.
My thoughts
If the path is really that and we are not talking internet-bgp connectivity as in an upstream SP/ISP, I would not even waste my time filtering priv-ASN. Filtering priv-AS is practice at the internet edge and public-bgp domain.
Also in a real internet bgp-domain, nobody connects a public AS to priv-as and then to a public domain from my experience.
e.g
AS200-64512-6500-2914-internet
Also you never ever ever connect a privASN to 2 different public-AS ISP providers
e.g
65100----isp1-2914
|
|_____isp2-7018
Ken Felix
PCNSE
NSE
StrongSwan
User | Count |
---|---|
2677 | |
1412 | |
810 | |
703 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.