- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- BGP advertise default and as path prepending
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
BGP advertise default and as path prepending
Hi,
Question: Is it possible to do as path prepending for default route advertised using capability-default-originate enable?
We have a setup with 2 Fortigates connected southbound to APN on Mobile Network, and northbound to the internet.
Towards the APN BGP is used, and the Fortigate must always advertise default route to APN, regardless whether the northbound internet connection is up or down. For this I can use set capability-default-originate in BGP configuration.
config router bgp set as 65534 set router-id 1.2.3.4 set keepalive-timer 10 set holdtime-timer 30 config neighbor edit "1.2.3.5" set bfd enable set capability-default-originate enable
Furthermore we would like to use as path prepending on one Fortigate in order to steer the traffic to the other Fortigate. For this I can use set-aspath in route-map configuration.
config router prefix-list edit "only_dflt" config rule edit 1 set prefix 0.0.0.0 0.0.0.0 unset ge unset le next end next
config router route-map edit "only_dflt_route" config rule edit 1 set match-ip-address "only_dflt" set set-aspath "65534 65534 65534" next end next
However this as-path prepending works if I redistribute the static default route into bgp using:
config router bgp
config redistribute "static" set status enable end
Showing advertised route:
FG02 # get router info bgp neighbors 1.2.3.5 advertised-routes BGP table version is 42, local router ID is 1.2.3.4 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight RouteTag Path *> 0.0.0.0/0 1.2.3.5 32768 0 65534 65534 65534 ? Total number of prefixes 1
But if I don't do this and advertise default using capability-default-originate enable there is no as-path prepending performed.
Showing advertise routes:
FG02 # get router info bgp neighbors 1.2.3.5 advertised-routes BGP table version is 42, local router ID is 1.2.3.4 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight RouteTag Path *> 0.0.0.0/0 1.2.3.5 100 32768 0 i Total number of prefixes 1
Is there a way to do as-path prepending in combination with capability-default-originate?
Best Regards!
Arjan
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't think you can do what you want to do. But I don't understand why you have to use capability-default-originate while you have a static default route in the routing-table. The default-originate is useful, FortiGates or any other routers, when a default route doesn't exist or regardless its existence, redirect all non-specific traffic from neighbors toward itself.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Agreed, How are you learning the default 0.0.0.0/0 if it's from a IGP as soon as that route goes away that route would be flushed
if you have a bgp peer with more than 1 source of a 0.0.0.0/0 just have them use route-map and set loclpreference on what route they want active in the BGP table. That's how I've always done it in the last 15 years or so
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your answers!
The other party is only accepting default route, i.e. there are no more specific routes for the local servers. Advertising default using capability-default-originate decouples the advertisement of default from the state of the default route to the Internet and reduces the risk of breaking the connectivity to local servers from the other party.
Was looking for a way to configure as-path prepending, couldn't find it, apparently it is not possible.
Arjan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could set a route-map for your default originate setting, in that you can configure the as-path prepending:
default-originate-routemap
Check this KB article out, there it's explained and why it's not working with a usual route-map in the BGP neighbor:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD45618
Related Posts
- Azure Fortinet and Default route 168 Views
- Source IP for Central Management v7.4 639 Views
- Looking for best solution to migration... 234 Views
- Route selection with BGP not... 3996 Views
- BGP default route from RIB 767 Views
Labels
-
FortiGate
6,491 -
FortiClient
1,295 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiSwitch
331 -
FortiAP
331 -
FortiClient EMS
260 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
104 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
70 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
57 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
18 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
FortiAuthenticator
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSID
6 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
NAC policy
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.