Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mudasirmalik
New Contributor

Local in policy for BGP in regards to AWS

Hi all,
We have local-in policy to allow all for bgp. I know we can set local-in policy to disable port 179 as follows:

config firewall local-in-policy

    edit 1

       set intf wan1

       set scraddr all

       set dstaddr all

       set action deny

       set service BGP

       set schedule always

    end

I have a couple of questions. I am coming from PA deployed in a very small office, so sorry if sound bit silly.

1. How to know if I change config in 'edit 1', I am not changing any other policy already there.
2. We have VPN with AWS going from WAN1. The inside tunnel address configured in VPN is used for BGP. AWS config here uses BGP(inside tunnel IP) for VPN to work. If I apply above local-in policy will it not affect VPN tunnel between fortigate and AWS.

We are using Fortigate version 6.4.0

Thanks.

Mudasir Malik
Mudasir Malik
7 REPLIES 7
Toshi_Esumi
SuperUser
SuperUser

I'm not sure what you mean with No.1 "How to know...". You just need to change in "edit 1" then hit "next" (not "end"), and then "show" to check the result of your change. Or even before hitting "next", you can do "show".

 

BGP over the tunnel goes through the tunnel interface, which is automatically created when you configured the phase1-interface. Not over wan1 interface. So your deny statement in the local-in-policy wouldn't apply to the BGP with AWS. By default, BGP is allowed all interfaces including those tunnel/logical interfaces.

 

Toshi

mudasirmalik

Thanks a lot Toshi.
I was wondering to check if something is already configured at 'edit 1'. Although, I ran through running-config and don't see any local-in policy at all but in GUI, I can see we have many local-in policies. 

i was just curious as I know when I was working with ASA, you have specific command that will not apply any firewall policy on tunnel interface. looks like there is none in fortigate and tunnel inside IP is not considered on WAN interface. I will try to disable all bgp traffic for WAN port next week and see how it goes.

I guess to revert back I donot delete edit 1 instead change it to 

config firewall local-in-policy

    edit 1

       set intf wan1

       set scraddr all

       set dstaddr all

       set action allow

       set service BGP

       set schedule always

    end

or do you think deleting edit 1 is the best way.

Thanks a lot

 

Mudasir Malik
Mudasir Malik
Toshi_Esumi
SuperUser
SuperUser

As I said by default BGP is allowed on any interfaces. An "allow" local-in-policy is only meaningful when it's placed before a "larger" deny policy, so that it's allowed only with the condition while most of, if not all, others are denied. 

Your case, nothing would be different for the behavior of the FGT. I would simply remove it and start from scratch to avoid future confusion or cluttering.

mudasirmalik
New Contributor

In case someone is looking for an answer. Applied local-in-policy and it did not impact the tunnel. The only issue was that we never had BGP, so we had to create a new Service for BGP by going into Policy&Objects -> Services as without doing this you will not be able to run 'set service BGP' command.

Mudasir Malik
Mudasir Malik
Toshi_Esumi
SuperUser
SuperUser

BGP should be in pre-configured services like DNS, OSPF, RIP, SNMP, etc. by default. Also you don't need any policy to terminate BGP at the IPsec interface. Only if you terminate it at a loopback interface or other internal interfaces, you need to have a set of policies for BGP to come/go out of the inside interface.

mudasirmalik

I was on support with fortinet guys and the fortinet tech, who was really good at his work and he created BGP service. This also confused him a bit in start that we had BGP configured for local-in-policy(GUI).  I had to call support as 'set service BGP' did not work due to BGP not available. So, the tech guy created a new BGP service. Then, I was able to enter command 'set service BGP'
As stated earlier, BGP is used in conjuction with AWS and I was just worried if BGP running inside tunnel will not be impacted. Anyways, my main question got answered this morning when applying above config did not cause any issue to tunnel.

Sorry, I am not sure what do you mean by terminate(I have never seen this term, may be my knowledge is limited:)), I never know that BGP has an end point. Yes there are two things in Fortigate. One is security policy and other is local-in policy. Both will perform different functions. One will allow to pass traffic through interface and reject later by policy while the later will reject any inbound traffic(local-in).

Mudasir Malik
Mudasir Malik
Toshi_Esumi
SuperUser
SuperUser

I already forgot about what you were specifically working on and thought you added a policy with BGP in FW policy. Sorry about my confusion.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors