Thanks for the answer, and i did try with prefix and it worked (hope i don' t mix the tests ok/ko), but the goal is on doing the redistribution on something independent of the prefix, so i don' t have to change at each new received route. My setup is: from the Fortinet i peer with 2 providers in BGP, and my internal network with OSPF. My Network have two exit points both with the same 2 providers. I want to do a load balancing based on the providers. In one exit point i inject in OSPF provider A, in the other exit point i inject provider B. Also of course i inject a default route on both sides for redundancy/crash-of-one-provider. Cheers, Ciprian

Than you should take this approach, I do this all of the time in cisco world, but never with a firewall, since we have numerous bgp speakers ahead of the firewall concept would be similar; edit " upstream" set type expanded config rule edit 1 set action permit set regexp " 3549:66001" next edit 2 set action permit set regexp " 1239:66002" next edit 3 set action permit set regexp " 174:66003" next end next end and config router route-map edit " match-community" config rule edit 1 set match-community " upstream" next end next end In the above I would tag the routes learned by gblx, sprint and cogent and then any matches I would handle via my route-map/route-policies in my arena. So you might have to be created and tag certain prefixes or maybe orgination ASes. In my setup, I tag all my routes from myupstream with an additive community and and then , routes that I want to manipulate for selection ( blackholes, policy routing,etc...) I add or swap communities and have route-map ( ios ) or route-policy ( ios-xr ) to make decision on what' s matched. This could be something as simple as locl_pref, next-hop or like in your scenarion route-redistribution. NOTE: If the firewall is directly connected to your upstream, your going to have challenges unless you have the provide tag prefixes ahead and for you. I hope that helps

Thanks emmoc, and i do think in this way, and i have the same config, yours and mine done with cisco and junipers, also with fortinet but as Level2 firewall, but with fortinet Level3 ..... trying The solution proposed by you don' t work eighter. I think that the process of redistribution is done with all the attributes stripped off, beacouse nothing matches. I think that i ask too much from a " firewall box" :) I can create another vdom/vrf, and chain internal another BGP peer and do the filtering there, and redistribute all the newly filtered routes in OSPF, but .... i like simple solutions :) Cheers, Ciprian

Victory :) Long live the Metric attribute :) On the BGP peer from the ISP config router route-map edit " ISP1-IN" config rule edit 1 set set-metric 1000 next end next On the redistribution BGP to OSPF: config router route-map edit " RED-BGP2OSPF" config rule edit 1 set match-metric 1000 next end next end But the strange thing is that this is not the final OSPF metric of the route. Cheers Ciprian

I don' t think metric transfer over from BGP to OSPF in that way. if you need to carry metrics over, than you will need to set this up in the redistribute map. Once again, trying to terminate a fw as a bgp speaker is going to introduce challenges. If you had the following; router>>>>>>>>>>>firewall and redistribute bgp learned routes into BGP, that would be more workable. Just be careful on introducing bgp route into another IGP.