- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Local in policy for BGP in regards to AWS
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Local in policy for BGP in regards to AWS
Hi all,
We have local-in policy to allow all for bgp. I know we can set local-in policy to disable port 179 as follows:
config firewall local-in-policy
edit 1
set intf wan1
set scraddr all
set dstaddr all
set action deny
set service BGP
set schedule always
end
I have a couple of questions. I am coming from PA deployed in a very small office, so sorry if sound bit silly.
1. How to know if I change config in 'edit 1', I am not changing any other policy already there.
2. We have VPN with AWS going from WAN1. The inside tunnel address configured in VPN is used for BGP. AWS config here uses BGP(inside tunnel IP) for VPN to work. If I apply above local-in policy will it not affect VPN tunnel between fortigate and AWS.
We are using Fortigate version 6.4.0
Thanks.
Mudasir Malik
Mudasir Malik
Labels:
- Labels:
-
FortiGate
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not sure what you mean with No.1 "How to know...". You just need to change in "edit 1" then hit "next" (not "end"), and then "show" to check the result of your change. Or even before hitting "next", you can do "show".
BGP over the tunnel goes through the tunnel interface, which is automatically created when you configured the phase1-interface. Not over wan1 interface. So your deny statement in the local-in-policy wouldn't apply to the BGP with AWS. By default, BGP is allowed all interfaces including those tunnel/logical interfaces.
Toshi
Created on 01-19-2022 04:29 AM Edited on 01-19-2022 04:33 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot Toshi.
I was wondering to check if something is already configured at 'edit 1'. Although, I ran through running-config and don't see any local-in policy at all but in GUI, I can see we have many local-in policies.
i was just curious as I know when I was working with ASA, you have specific command that will not apply any firewall policy on tunnel interface. looks like there is none in fortigate and tunnel inside IP is not considered on WAN interface. I will try to disable all bgp traffic for WAN port next week and see how it goes.
I guess to revert back I donot delete edit 1 instead change it to
config firewall local-in-policy
edit 1
set intf wan1
set scraddr all
set dstaddr all
set action allow
set service BGP
set schedule always
end
or do you think deleting edit 1 is the best way.
Thanks a lot
Mudasir Malik
Mudasir Malik
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As I said by default BGP is allowed on any interfaces. An "allow" local-in-policy is only meaningful when it's placed before a "larger" deny policy, so that it's allowed only with the condition while most of, if not all, others are denied.
Your case, nothing would be different for the behavior of the FGT. I would simply remove it and start from scratch to avoid future confusion or cluttering.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In case someone is looking for an answer. Applied local-in-policy and it did not impact the tunnel. The only issue was that we never had BGP, so we had to create a new Service for BGP by going into Policy&Objects -> Services as without doing this you will not be able to run 'set service BGP' command.
Mudasir Malik
Mudasir Malik
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
BGP should be in pre-configured services like DNS, OSPF, RIP, SNMP, etc. by default. Also you don't need any policy to terminate BGP at the IPsec interface. Only if you terminate it at a loopback interface or other internal interfaces, you need to have a set of policies for BGP to come/go out of the inside interface.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was on support with fortinet guys and the fortinet tech, who was really good at his work and he created BGP service. This also confused him a bit in start that we had BGP configured for local-in-policy(GUI). I had to call support as 'set service BGP' did not work due to BGP not available. So, the tech guy created a new BGP service. Then, I was able to enter command 'set service BGP'
As stated earlier, BGP is used in conjuction with AWS and I was just worried if BGP running inside tunnel will not be impacted. Anyways, my main question got answered this morning when applying above config did not cause any issue to tunnel.
Sorry, I am not sure what do you mean by terminate(I have never seen this term, may be my knowledge is limited:)), I never know that BGP has an end point. Yes there are two things in Fortigate. One is security policy and other is local-in policy. Both will perform different functions. One will allow to pass traffic through interface and reject later by policy while the later will reject any inbound traffic(local-in).
Mudasir Malik
Mudasir Malik
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I already forgot about what you were specifically working on and thought you added a policy with BGP in FW policy. Sorry about my confusion.
Related Posts
- access problems towards vpn s2s 29 Views
- Setting SSL/SSH inspection profile causes most... 67 Views
- Multiple phase 2 selectors needed for... 100 Views
- Split Tunnel with SSL VPN and... 75 Views
- BGP Peering - My Fortigate -... 127 Views
Labels
-
FortiGate
6,490 -
FortiClient
1,294 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiSwitch
331 -
FortiAP
331 -
FortiClient EMS
260 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
104 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
70 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
57 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
18 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
FortiAuthenticator
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSID
6 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
NAC policy
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.