Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Mcenroe
New Contributor

Route-Map rule evaluation

Hi, 

i have a question about Route-Map rule evaluation. The online CLI reference says:

"When more than one match-* rule is defined, all of the defined match-* rules must evaluate to TRUE or the routing information is not changed"

 

This for me means that, if you have a route-map with 2 match-rules, both rule must match in order to do routing info change. But the behavior is not like that: if i set a route-map with 2 rules and 1 of these is not matching, the second rule is processed.

I need a mechanism to define to rules where, if the first is not matched, the second one is ignored: are route-maps the best way to do this?

 

Thank you,

Roberto

2 REPLIES 2
HugoFarquharSelfe
New Contributor

Hi Roberto

 

I think you can achieve what you want, but the CLI reference description is not very clear.  What it means is that for any single rule that has multiple match statements, there is a logical AND on all the matches.  You can have multiple rules on a route-map, and the rules are applied sequentially until either a rule evaluates to true or the end of the route-map is reached, evaluating to false.  

 

What you seem to be asking for is a policy where you can explicitly deny based on not matching a rule.  I'm not sure that's possible, but usually you can reformulate the logic so that you put all the requirements for explicitly matching parameters in prior order in the route-map, then you can explicitly deny what you need to and finally, perhaps, have a default permit.

 

So, for instance, if you wanted to specifically deny some combinations of port and metric, then allow any thing else on the same ports before denying by default, you could do this

 

 

config router route-map  edit "test-map"   config rule     edit 1      set match-interface "port1"      set match-metric 1000

     set action deny     next     edit 2      set match-interface "port2"      set match-metric 1000      set action deny

    next

    edit 3      set match-interface "port1"      set action permit

    next

    edit 4      set match-interface "port2"      set action permit

    next

    edit 5      set action deny

    next

   end

  next end

 

parks_rec
New Contributor

I know this is an older post and maybe things have changed since this question was originally asked but you can have a rule with "set action deny" which will stop processing in a route-map. 

 

For instance:

config router prefix-list
    edit "deny_list"
        config rule
            edit 1
                set prefix 10.0.0.0 255.255.255.0
                unset ge
                set le 32
            next
        end
    next
end
config router route-map
    edit "bgp_filter"
        config rule
	    edit 1
                set action deny
                set match-ip-nexthop "deny_list"
                unset set-ip-nexthop
                unset set-ip6-nexthop
                unset set-ip6-nexthop-local
                unset set-originator-id
            next
            edit 2
                unset set-ip-nexthop
                unset set-ip6-nexthop
                unset set-ip6-nexthop-local
                unset set-originator-id
            next
        end
    next
end

 

 For any bgp neighbors that have "set route-map-out bgp_filter" the above would stop any outbound advertisements if the nexthop IP is in the 10.0.0.0/24 subnet by #1 in the route-map rule & everything else would be allowed by #2 in the route-map rule. 

 

As I understand the route-map rules: they process sequentially until either an allow or deny is hit. If a rule doesn't specifically deny (such as with #2 above) it's set to allow be default.

If a route doesn't meet any of the rule match-* or you don't have a catch all (such as above), the fortigate will deny it by default.

Labels
Top Kudoed Authors