Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff

Created on ‎07-01-2009 08:21 AM Edited on ‎04-01-2025 11:26 PM By Moderator

Article Id 189725

Technical Tip: FortiGate BGP configuration to announce specific routes and accept only a default route (prefix list and route map)

Description

 

This article gives a configuration example of how to achieve the following with BGP:

  • Announce routes in BGP with network prefixes or redistribute policies.
  • Accept ONLY a default route from a BGP peer.


Scope


FortiGate or VDOM in NAT mode.


Diagram:


The following diagram is used to illustrate this example.  The focus of the configuration is on FGT-1.

rmetzger_fd30432_bgp_announce_and_deny.JPG
Expectations, Requirements.
The requirement on FGT-1 is:

  • Announce 192.168.0.0/21 to the BGP peer FGT_ISP.  For this example, 192.168.0.0/21 is a valid static route on FGT-1, but it could be any type of route.
  • Accept only the default route from the BGP peer FGT_ISP and deny all other updates.

 

FGT-1 configuration.

Only the relevant parts of the configuration are given. For more information about configuring BGP, see the related articles.
 
  1. To announce 192.168.0.0/21, there are 2 solutions :

     

    1. Based on a redistribute Policy.

 

config router bgp
    config redistribute static <- static is used in this example because 192.168.0.0/21 is a static route; it must be adapted to each situation.
        set status enable              
    end
end

 
This will redistribute all static routes that are effectively present in the routing table.

          2. Based on network prefix:

config router bgp
    config network
        edit 1
            set prefix 192.168.0.0 255.255.248.0
        next
    end
end
 
With this option, and as for the route redistribution policy, the FortiGate will look for an exact matching route in the routing table before distributing it. This is because the prefixes need to be installed on the RIB first, either by static routes, directly connected, or learned by other dynamic routing protocols. This is not a FortiOS design but how the BGP protocol works.

Note that using the 'config network' method will advertise the NLRI with the origin type of incomplete.

  1. To accept only the default route, the BGP peer FGT_ISP.
Create first a prefix list to ONLY match the default route, then a route map link to this prefix list  , and then associate this route map to the BGP peer, in ingress.
 
config router prefix-list
    edit "only_dflt"
        config rule
            edit 1
                set prefix 0.0.0.0 0.0.0.0
                unset ge
                unset le
            next
        end
    next
end

config router route-map
    edit "only_default_route"
        config rule
            edit 1
                set match-ip-address "only_dflt"
            next
        end
    next
end

config router bgp
    set as 2
        config neighbor
            edit 10.142.0.110
                set remote-as 1
                set route-map-in "only_default_route"
            next
        end
    set router-id 10.142.0.205
end


Verification.
Verification on FGT-1 before implementing the route map.

 

FGT-1 (bgp) # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

B*      0.0.0.0/0 [20/0] via 10.142.0.110, wan1, 00:02:18
B       1.1.1.1/32 [20/0] via 10.142.0.110, wan1, 00:02:18
S       2.2.2.2/32 [10/0] via 192.168.183.254, wan2
O       10.128.0.0/10 [110/0] is a summary, Null, 00:02:23
C       10.142.0.0/23 is directly connected, wan1
B       10.160.0.0/23 [20/0] via 10.142.0.110, wan1, 00:02:18
C       10.161.0.0/30 is directly connected, Inter-vdom10
C       10.161.0.1/32 is directly connected, Inter-vdom10
C       10.161.0.4/30 is directly connected, Inter-vdom20
C       10.161.0.5/32 is directly connected, Inter-vdom20
B       192.168.0.0/16 [20/0] via 10.142.0.110, wan1, 00:02:18
S       192.168.0.0/21 [10/0] via 10.161.0.2, Inter-vdom10
B       192.168.168.0/24 [20/0] via 10.142.0.110, wan1, 00:02:18
S       192.168.171.0/24 [10/0] via 192.168.183.254, wan2
C       192.168.182.0/23 is directly connected, wan2

 

Verification on FGT-1 after implementing the route map.

 

FGT-1 (root) # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

B*      0.0.0.0/0 [20/0] via 10.142.0.110, wan1, 00:05:58
S       2.2.2.2/32 [10/0] via 192.168.183.254, wan2
O       10.128.0.0/10 [110/0] is a summary, Null, 00:06:03
C       10.142.0.0/23 is directly connected, wan1
O       10.160.0.0/23 [110/200] via 10.161.0.2, Inter-vdom10, 00:05:39
C       10.161.0.0/30 is directly connected, Inter-vdom10
C       10.161.0.1/32 is directly connected, Inter-vdom10
C       10.161.0.4/30 is directly connected, Inter-vdom20
C       10.161.0.5/32 is directly connected, Inter-vdom20
S       192.168.0.0/21 [10/0] via 10.161.0.2, Inter-vdom10
S       192.168.171.0/24 [10/0] via 192.168.183.254, wan2
C       192.168.182.0/23 is directly connected, wan2


Verification of routes received on FGT_ISP.

 

FGT_ISP (bgp) # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [10/0] via 192.168.183.254, port1
S       1.1.1.1/32 [10/0] via 192.168.183.254, port1
C       10.142.0.0/23 is directly connected, port6
C       10.160.0.0/23 is directly connected, port2
S       192.168.0.0/16 [10/0] via 192.168.183.254, port1
B       192.168.0.0/21 [20/0] via 10.142.0.205, port6, 00:09:01
S       192.168.168.0/24 [10/0] via 192.168.183.254, port1
C       192.168.182.0/23 is directly connected, port1

 

Related articles:

Technical Note: Configuring BGP on a FortiGate with single-homed eBGP peering, iBGP peering, access-...

Technical Note : How to implement BGP route summary (aggregation) on a FortiGate

Technical Note: Static NAT VIP accessible from 2 external interfaces with E-BGP peerings (dual-homin...

Technical Note : FortiGate BGP configuration to announce only a default static route (prefix list an...

Labels:
113070
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.