- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Route filtering with a distribution list
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Route filtering with a distribution list
Hello Community
Normally I'm using a prefix-list in combination with route-map to filter prefix advertisements when configuring BGP.
For fun and to expand my knowledge, I was looking into the docs article about 'Route filtering with a distribution list'.
Link: http://docs.fortinet.com/document/fortigate/7.2.7/administration-guide/170065/route-filtering-with-a...
In my lab I have 3 FortiGates, running v7.2.7.
FGT1, FGT2 and FGT3.
FGT2 and FGT3 have eBGP peering established with FGT1.
FGT1 receives prefixes from both FGT2 and FGT3 and advertises everything. FGT1 also advertises a local originating prefix.
For testing, I would like to try and use the distribution list on FGT1 towards FGT3. I would like to filter out only the prefix received from FGT2. The local prefix that FGT1 advertises, still needs to go to FGT3.
However I can't seem to get it to work.
My ACL matches the prefix from FGT2 with exact-match enabled and action set to deny.
If I set the ACL on the outbound distribution list towards FGT3, then no prefix at all is received.
Anyone using this in production that can share some more insight to the usage?
Kind regards
Solved! Go to Solution.
Kind regards
Labels:
- Labels:
-
FortiGate
2 Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was curios just like you because I never used "config router access-list". So I tested it myself. And, looks like the document you referred to seems to have an error/missing part. In the ACL, until I added "permit the rest" below, it would deny everything with implicit deny at the end of ACL. After I configured like below, it denied 172.31.255.254/32 but allowed everything else.
config router access-list
edit "testACL1"
config rule
edit 1
set action deny
set prefix 172.31.255.254 255.255.255.255 <-- I used a loopback with a /32 IP
set exact-match enable
next
edit 2
set prefix any
next
end
next
end
I wouldn't use access-list unless I need to use Cisco-style wildcard like:
set wildcard 172.0.255.254 0.31.0.0
I don't think this can be done with prefix-list.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By the way, this implicit deny behavior is consistent with Cisco's ACL. I remember when I locked up all customer traffic since I didn't put "permy ip any any" at the end on a Cisco router very long time ago. But cisco's case, all you need to do is to reboot the router unless you save the config already.
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, for configuration purposes you can use the below link for reference:
FortiGate BGP configuration to announce specific routes and accept only a default route (prefix list...: https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-BGP-configuration-to-announce-sp...
Security all we want
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was curios just like you because I never used "config router access-list". So I tested it myself. And, looks like the document you referred to seems to have an error/missing part. In the ACL, until I added "permit the rest" below, it would deny everything with implicit deny at the end of ACL. After I configured like below, it denied 172.31.255.254/32 but allowed everything else.
config router access-list
edit "testACL1"
config rule
edit 1
set action deny
set prefix 172.31.255.254 255.255.255.255 <-- I used a loopback with a /32 IP
set exact-match enable
next
edit 2
set prefix any
next
end
next
end
I wouldn't use access-list unless I need to use Cisco-style wildcard like:
set wildcard 172.0.255.254 0.31.0.0
I don't think this can be done with prefix-list.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By the way, this implicit deny behavior is consistent with Cisco's ACL. I remember when I locked up all customer traffic since I didn't put "permy ip any any" at the end on a Cisco router very long time ago. But cisco's case, all you need to do is to reboot the router unless you save the config already.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Toshi_Esumi
Great finding!
I can relate this to prefix-lists also.
If for example I create a prefix-list, where the only rule entry is a ‘deny’ statement for a single prefix, then nothing gets through either, because of a ‘hidden’ implicit deny logic also.
I don’t think I would ever use this in production, as mentioned - I usually use prefix-list and route maps.
Kind regards
Kind regards
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you use it with a route-map the prefix-list or access-list can be used to just match specific prefixes and its action is decided at the route-map side. In that case, you don't have to allow the rest at the prefix-list side. You can add that part on the route-map side.
Since the route-map add one more layer on top of the prefix-list or access-list, it's more flexible to control the filtering behaviours including combining both prefix-lists and access-lists in one route-map.
Toshi
Related Posts
- Block/Filter routes from OSPF 1487 Views
- L2 VLAN Routing+Filtering 709 Views
- Trunk VLAN 3237 Views
- Webfilter URL Routing / PBR. What... 1514 Views
Labels
-
FortiGate
6,528 -
FortiClient
1,303 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
59 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.