Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fortimaster
Contributor II

Created on ‎01-03-2025 09:01 AM

Route map doesn't filter OSPF routes

Hi all¡

 

I have a simple scenario where 2 fortigates connect to area 0 using a Point to Point OSPF network and a /30 IPv4 network.

One distributes connected routes and the other receives them. I would like to filter some of those routes using a route map with an ACL but, when I apply it the routes are not filtered.

 

I have created 2 ACL, one used to filter one network and another used to permit all the rest of traffic. Finally, a route map with these 2 ACL.

 

config router access-list
edit "ACL_OSPF_DENY"
config rule
edit 1
set prefix 192.168.1.0 255.255.255.0
set exact-match enable
next
end
next
edit "ACL_OSPF_PERMITANY"
config rule
edit 1
set prefix any
set exact-match enable <-- comment, witouth this command it doesn't work either.

 

config router route-map
edit "RM-OSPF"
config rule
edit 1
set action deny
set match-ip-address "ACL_OSPF_DENY"
next
edit 2
set match-ip-address "ACL_OSPF_PERMITANY"

If I get the OSPF routes afther having applied the route map (using GUI), the 192.168.1.0 network still there. I have tryed several ways but the route map doesn't filter the route. Could you help me please? What I'm doing wrong?

 

Thanks¡¡

 

 

 

 

Labels:
1064
0 Kudos
12 REPLIES 12
fortimaster
Contributor II

Created on ‎01-04-2025 07:37 AM Edited on ‎01-04-2025 07:46 AM

Thanks for your help, you are right. The route is filtered before it enters in the RIB. For me is a good option cause I need to filter it to avoid routing problems. There is no problem if the route is on the OSPF data base. We are talking about 192.168.116.0 in my test lab:

 

-FortiGate-VM64-KVM # get router info routing-table ospf
Routing table for VRF=0
O 10.127.0.0/30 [110/2] via 192.168.204.1, port3, 00:08:32

 

FortiGate-VM64-KVM # get router info ospf route

E2 192.168.116.0/24 [1/10] via 192.168.204.1, port3

 

The only thing I have to think about if I should create a new area between these 2 firewalls, just for security reasons and to bypass less information, cause the firewall (internal) that sends the routes to the other (External FW), is connected to area 0 with a lot of routers. In any case, we are talking about firewalls and no one will be able to use that OSPF information if I keep everything connected to area 0.

 

Thanks ¡¡¡

 

 

231
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎01-04-2025 11:01 AM

No. That idea wouldn't work only with two routers/neighbors. If a third router is inbetween, you can split the area at the 3rd one/ABR to bridge between two areas. The nighbors can directly talk each other only in the same area.

With your concern, as I said originally, you can filter out those unwanted routes from advertisement on the source side before entering OSPF domain so that the source router/FGT won't be able to advertise those to the other end over OSPF.
You can use the same route-map on the source FGT as well like below:

config router ospf
  config redistribute connected (or static)
    set status enable
    set routemap <filtering-routemap>
  end
end

Toshi  

211
0 Kudos
fortimaster
Contributor II
In response to Toshi_Esumi

Created on ‎01-06-2025 09:45 AM

Thanks Toshi,

I have tried some options, using area 0 or creating a new area between those 2 firewalls and the new link point to point. Finally I'm going to put them all in area 0. It's a good option for what I want and it works perfectly.

163
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.