Monday, March 24, 2008

Filtering Dynamic Routes

Sometimes it is necessary to filter dynamically learned routes from being advertised to your network. To do this on the Fortigate platform you can utilize router access lists and router prefix lists. Router access lists are used for filtering OSPF routes, router prefix lists are used for filtering BGP routes. Below are examples for each type of access list. Configuring access lists is currently command line only. FortiManager 3.0 MR6 has the ability to define access and prefix lists using the GUI but you still have to utilize the CLI to apply them.

Common setup:
-Your firewall is connected to 2 private networks, 10.1.1.0/24, 192.168.1.0/24
-Your firewall is connected to the Internet, using 1.1.1.0/24
-You do not want 1.1.1.0/24 to be advertised into your network

Router Access Lists:
config router access-list
edit "filter-internet-network"
config rule
edit 1
set action deny
# Prevens routes from being advertised
set prefix 1.1.1.0 255.255.255.0
# The route you want to filter
set exact-match enable
next
edit 2
set exact-match disable
# Permit all other routes to be advertised
next # since the default action is permit
end

Apply the access list in your OSPF configuration:
config router ospf
set abr-type cisco
config area
edit 0.0.0.0
next
end
config distribute-list
edit 1
set access-list "filter-internet-network"
next
end

Router Prefix Lists:
config router prefix-list
edit "filter_internet_network"
config rule
edit 1
set action deny
set prefix 1.1.1.0 255.255.255.0
unset ge
# Unsetting ge and le has the same effect as
unset le
# "exact-match disable" in OSPF
next
edit 2
set prefix any
unset ge
unset le
next
end

Apply the prefix list in your BGP configuration:
config router bgp
set as 65000
config neighbor
edit 192.168.1.1
set next-hop-self enable
set prefix-list-out "filter_internet_network"
set remote-as 65000
next
end

Note that since you define neighbors statically in BGP the prefix lists in BGP are also applied on a per-neighbor basis. In OSPF the access lists apply to the entire area.

3 comments:

Yngve said...

Unfortunately; This didnt work for me. I dont want routing table on all remote-sites is filled with entries about the ipsec-linknet-segment.

Anonymous said...

Hi,

I seem to having the same problem.
No matter how i try to block the incoming ospf routes they are still accepted.
Any suggestions?

Pioevogel said...

For filtering what prefixes make it into the RIB, you should create an ACL as described above, but apply it using:

config router ospf
set distribute-list-in

and not "config distribute-list"

Just tried it and works perfectly.

PS: Great blog!