Sometimes it is necessary to filter dynamically learned routes from being advertised to your network. To do this on the Fortigate platform you can utilize router access lists and router prefix lists. Router access lists are used for filtering OSPF routes, router prefix lists are used for filtering BGP routes. Below are examples for each type of access list. Configuring access lists is currently command line only. FortiManager 3.0 MR6 has the ability to define access and prefix lists using the GUI but you still have to utilize the CLI to apply them.
-Your firewall is connected to 2 private networks, 10.1.1.0/24, 192.168.1.0/24
-Your firewall is connected to the Internet, using 220.127.116.11/24
-You do not want 18.104.22.168/24 to be advertised into your network
Router Access Lists:
config router access-list
set action deny # Prevens routes from being advertised
set prefix 22.214.171.124 255.255.255.0 # The route you want to filter
set exact-match enable
set exact-match disable # Permit all other routes to be advertised
next # since the default action is permit
Apply the access list in your OSPF configuration:
config router ospf
set abr-type cisco
set access-list "filter-internet-network"
endRouter Prefix Lists:
config router prefix-list
set action deny
set prefix 126.96.36.199 255.255.255.0
unset ge # Unsetting ge and le has the same effect as
unset le # "exact-match disable" in OSPF
set prefix any
Apply the prefix list in your BGP configuration:
config router bgp
set as 65000
set next-hop-self enable
set prefix-list-out "filter_internet_network"
set remote-as 65000
Note that since you define neighbors statically in BGP the prefix lists in BGP are also applied on a per-neighbor basis. In OSPF the access lists apply to the entire area.