I'm having trouble applying a route map to stop a FortiGate 201E from advertising certain connected subnets via BGP.
In my examples below I've only shown one prefix. I actually have 6 I want to stop advertising. I also want this FGT to continue advertising the default route.
I've tried a prefix list with the deny action set on the rules, and applying the route map to the neighbor, like this
config router prefix-list
edit "ISP_allowed_eBGP"
config rule
edit 1
set action deny
set prefix 10.10.10.184 255.255.255.248
unset ge
unset le
next
edit 2
set prefix 0.0.0.0 0.0.0.0
unset ge
set le 32
next
end
end
config router route-map
edit "ISP_allowed_eBGP_route_map"
config rule
edit 1
set match-ip-address "ISP_allowed_eBGP"
next
end
next
end
conf router bgp
config neighbor
edit "10.10.10.189"
set route-map-out "ISP_allowed_eBGP_route_map"
next
end
end
I also tried 2 cresting separate prefix lists and setting the deny action on the rules within the route map, like this:
config router prefix-list
edit "ISP_deny_eBGP"
config rule
edit 1
set prefix 10.10.10.184 255.255.255.248
unset ge
unset le
next
end
next
edit ISP_permit_eBGP
config rule
edit 1
set prefix 0.0.0.0 0.0.0.0
unset ge
set le 32
next
end
next
end
config router route-map
edit "ISP_allowed_eBGP_route_map"
config rule
edit 1
set match-ip-address ISP_deny_eBGP
set action deny
next
edit 2
set match-ip-address ISP_permit_eBGP
set action permit
next
end
config router bgp
config neighbor
edit "10.10.10.189"
set route-map-out "ISP_allowed_eBGP_route_map"
next
end
end
Both of these attempts failed. "get router info bgp neighbors 10.10.10.189 advertised-routes" shows that 10.10.10.184/29 is still being advertised.
Something I didn't try yet is putting the route map under the redistribute connected config, like this:
config redistribute "connected"
set status enable
set route-map "ISP_allowed_eBGP_route_map"
end
Is that correct approach? If so, why would that work and not the other 2 attempts. Please help me to understand what I've done wrong and the correct approach to achieve what I want.
Thanks in advance.
Solved! Go to Solution.
You have 3 ways (with slight variations) of achieving this:
[ol]set prefix-list-out <name of the prefix list>
NOTE: It is a common practice to use "allow" only statements in prefix-lists when you later use them in a route-map.
You may find more examples in my post: https://yurisk.info/2020/05/20/fortigate-bgp-cookbook-of-example-configuration-and-debug/
Did you clear the bgp router process after applying the route-map?
I would do a diag debug and gather details
e.g
diag ip router bgp updates out en
diag debug enable
Ken Felix
PCNSE
NSE
StrongSwan
For the first one, edit 2 is questionable. I would set like below:
edit 2
set prefix any
unset ge
unset le
next
edit 1 looks fine. At least that's what I did for some cases and worked.
Thanks, for your advice. I would have thought that
set prefix 0.0.0.0 0.0.0.0
unset ge
set le 32
is functionally equivalent to
set prefix any
unset ge
unset le
But the latter is certainly simpler. I'll give it a go.
Thanks Ken. I did not clear BGP although I did wait a few minutes. I'll reapply the config tonight and try "execute router clear bgp all out", which I assume should have the required effect. I'll enable debugging before applying the config too.
Do you have any advice on the correct approach to the route map, please? Would I set the deny action on the prefix list rule, or on the rule in the route map? Or both? And would I apply the route map to the neighbor, or apply it under the "config redistribute..." section (in my case it would be under redistribute connected)?
One more thing. I wouldn't apply the route-map to BGP neighbor clause, but to redistributed connected clause, not to go into BGP domain.
You have 3 ways (with slight variations) of achieving this:
[ol]set prefix-list-out <name of the prefix list>
NOTE: It is a common practice to use "allow" only statements in prefix-lists when you later use them in a route-map.
You may find more examples in my post: https://yurisk.info/2020/05/20/fortigate-bgp-cookbook-of-example-configuration-and-debug/
Thank you everyone who offered advice here. What I ended up doing was creating a prefix list containing the routes I didn't want advertised (example below shows 1, but in reality I have 6), and a separate prefix list with a catch all (as I still want to advertise the default route):
config router prefix-list
edit "ISP_deny_eBGP"
set comments "see SR #382641"
config rule
edit 1
set prefix
10.10.10.184
255.255.255.248
unset ge
unset le
next
end
next
edit "ISP_permit_eBGP"
config rule
edit 1
unset ge
set le 32
next
end
next
end
Then created a route map with the applicable allow and deny actions:
config router route-map
edit "ISP_allowed_eBGP_route_map"
set comments "see SR #382641"
config rule
edit 1
set action deny
set match-ip-address "ISP_deny_eBGP"
next
edit 2
set match-ip-address "ISP_permit_eBGP"
next
end
next
end
Then I added the route map to the redistribute static config:
config router bgp
config redistribute "connected"
set status enable
set route-map "ISP_allowed_eBGP_route_map"
end
end
I did previously try adding the map to the neighbor using "set route-map-out" as per your example, but it didn't seem to work. Possibly though that is because I didn't wait long enough, and didn't know about "execute router clear bgp all out", to clear out the route table. Regardless, the above config achieved exactly what I want.
Hello,
Don't forget that when you perform configuration changes on a BGP neighbor, then you have to restart the connection with the peer, unless "soft-configuration" is enabled. Example: exec router clear bgp ip x.x.x.x You can also check which prefixes are sent to the BGP peer using get router info bgp neighbors x.x.x.x advertised-routes
Best regards, Benoit
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1759 | |
1116 | |
766 | |
447 | |
242 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.