to perform some tests safely on a FortiGate (FortiOS 6.4) doing BGP i was trying to setup a prefix-list that denies all prefixes and apply that the BGP neighbour section via set prefix-list-in / set prefix-list-out.
as a prefix-list contains a implicit deny at the end i was expecting an "empty" one would be enough.
config router prefix-list
edit "deny-all"
set comments "deny all prefixes"
next
end
but this doesn't deny anything until i add a rule for dummy prefix with the deny action. then it behaves like i wanted to.
anyone that knows / can confirm a rule for a dummy prefix with deny action is required here?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I don't think "implicit deny" is a correct term to describe prefix-list's default behavior. It implicitly doesn't match anything unless you explicitly specify. Implicit deny is regularly used to describe the behavior of route-maps. Was there in any documentation you've read?
You just need to test it to verify the default behavior, which you already found out a half of it yourself.
<edit>
The test result you've got is because if you create a prefix-list it's "permit" by default as in my example. That's why the specific prefix was allowed but anything else was denied.
</edit>
Toshi
You have to match all fixes by "set prefix any" otherwise it does capture anything to "deny".
Below is ours matching everything but "permit" them. This one is used for our case to deny everything with a route-map referring this prefix-list. In your case you need "set action deny" instead.
config router prefix-list
edit "ALL-Routes"
config rule
edit 1
set prefix any
unset ge
unset le
next
end
next
end
Toshi
thanks Toshi, but isn't there a implicit deny for prefix any at the end of the prefix-list?
when i add some entry (say for 1.2.3.4 255.255.255.255) it will deny everything else, so then the implicit deny acts right? but without any rules it doesn't filter, although the implicit deny should be there then right?
I don't think "implicit deny" is a correct term to describe prefix-list's default behavior. It implicitly doesn't match anything unless you explicitly specify. Implicit deny is regularly used to describe the behavior of route-maps. Was there in any documentation you've read?
You just need to test it to verify the default behavior, which you already found out a half of it yourself.
<edit>
The test result you've got is because if you create a prefix-list it's "permit" by default as in my example. That's why the specific prefix was allowed but anything else was denied.
</edit>
Toshi
>> I don't think "implicit deny" is a correct term to describe prefix-list's default behavior.
yeah, that seems to be the case. i think i read this somewhere but dont have a source currently, perhaps it is the mix up with route map.
i was looking for some confirmation and got that now, thank you.
• If the prefix list is empty, all prefixes are permitted.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.