Using prefix lists and a route map to filter advertised BGP routes in FortiOS

Hello. This is my first post to this blog.

My situation: I have a Fortigate 60E running FortiOS 5.6.3 which is split into 2 VDOMs.

The root VDOM is connected to the Internet via a fast fibre connection while the Failover VDOM is connected via a slower VDSL. Each VDOM has an IPSEC tunnel established to a head office site and are both BGP neighbours with the head office. The VDOMs are also BGP neighbours over a VDOM link:

Capture

This is all pretty straight forward stuff but I wanted to block certain subnets from being advertised across the VDOM link and also down the IPSEC tunnels. For example the default route is not needed by the neighbour on the end of the IPSEC tunnel, and the network between the Failover VDOM and the VDSL modem is not needed by the root VDOM.

I started by trying to block just that 10.1.2.0/24 prefix being advertised to the root VDOM at Peer ID 10.1.2551 while allowing any other prefixes to be advertised.

I had a bit of a play around with access lists as per this article: http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-advanced-routing-54/Routing_BGP/Redistributing_Blocking_Routes.htm

However, I found doing so blocks all routes being advertised. I also tried the same with prefix lists and a distribute-list-out in the neighbour config and got the same result.

So.. at this point I logged a ticket with Fortinet support, and after a bit of back and forth with diagnostics etc and him sending me this link http://kb.fortinet.com/kb/viewContent.do?externalId=FD30432 and me getting the same result, I was told to contact my vendor to log a feature request.

Obviously that isn’t very helpful and I’m sure the device can do what I’m trying, so I spent a bit of time hacking away and got it with this:

# show router prefix-list
config router prefix-list
 edit "block-dmz"
 config rule
 edit 1
 set action deny
 set prefix 10.1.2.0 255.255.255.0
 unset ge
 unset le
 next
 edit 2
 set prefix 0.0.0.0 0.0.0.0
 unset ge
 set le 32
 next
 end
 next
end

 # show router route-map
config router route-map
 edit "block-only-dmz"
 config rule
 edit 1
 set match-ip-address "block-dmz"
 next
 end
 next
end

show router bgp
config router bgp
 set as 4200000001
 set router-id 10.1.255.2
 config neighbor
 edit "10.1.255.1"
 set soft-reconfiguration enable
 set remote-as 4200000000
 set route-map-out "block-only-dmz"
 set send-community6 disable
 next
 end
 config redistribute "connected"
 set status enable
 end
 config redistribute "rip"
 end
 config redistribute "ospf"
 end
 config redistribute "static"
 set status enable
 end
 config redistribute "isis"
 end
 config redistribute6 "connected"
 end
 config redistribute6 "rip"
 end
 config redistribute6 "ospf"
 end
 config redistribute6 "static"
 end
 config redistribute6 "isis"
 end
end

So, the solution was in the prefix list. Rule 1 denies the specific subnet, but unless the rest of the IPv4 range is defined afterwards (with implicit allow) then it blocks everything.

Rule 2 uses set le 32 to match the whole IPv4 range (that isn’t previously blocked by rule 1).

Now I can apply similar rules to the IPSEC neighbours.

 

2 Comments

  1. Hi there! I have a similar configuration that I’m trying to solve. I would like to filter out all incoming OSPF routes from my Cisco switch to the Fortigate EXCEPT for the default route. I cannot filter routes outbound on the Cisco switch so I have to filter inbound on the Fortigate. Would you say that having rule #1 be deny any and then rule #2 to allow 0.0.0.0/0.0.0.0 specifically be the way to do this?

    Thanks in advance!

    Like

    1. I’m sure you’ve figured this out by now, but in case not..

      Since I wrote this post I stopped working with Fortigates (in fact I stopped working with networks at all) so I can’t easily test, but I think you’re right, you firstly deny 0.0.0.0/0.0.0.0 with unset ge and set le 32, then your next rule is allow 0.0.0.0/0.0.0.0 unset ge unset le to match exactly the default route. That might not be exactly right, it’s possible the deny will overlap the rule underneath and you block everything, maybe the allow comes first then the block.

      Good luck.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s