Excluding Network from BGP on Fortigate

Assuming you are re-distributing your fortigate networks and you want to exclude one or some of your networks from distribution.

Here is an example config.

PS: replace “XXX” with your config..

config router prefix-list
edit "youaclname"
config rule
edit 1
set prefix "IPaddress "SubnetMask"
unset ge
unset le
next
end

config router route-map
edit "rmap-bgp"
config rule
edit 1
set action deny
set match-ip-address "youraclname"
next
edit 2
next
end
next
end

config router bgp
set as XXXX
set log-neighbour-changes enable
config neighbor
edit "neigbourIP"
set remote-as XXXX
set route-map-out "rmap-bgp"
set send-community6 disable
next
end
config redistribute "connected"
set status enable
end
config redistribute "rip"
end
config redistribute "ospf"
end
config redistribute "static"
end
config redistribute "isis"
end
config redistribute6 "connected"
end
config redistribute6 "rip"
end
config redistribute6 "ospf"
end
config redistribute6 "static"
end
config redistribute6 "isis"
end
set router-id XXX.XXX.XXX.XXX
end

How to clear Fortigate webcache via CLI

diag wacs clear

Fortigate ASIC-offloading and SNMP Traffic Counters

A strange problem…  If you have created VLAN based interface, SNMP traffic counters returns wrong. You have to disable session offloading to NP or SP processors. Tested under 1240b.. so you may disable ASIC offloading by firewall policy for test purposes. Then you will see that SNMP traffic counters will get higher.

Also you may disable fastpath,SP load balancing, network accelerators, or NP ASIC offloading globally but it is not recommended on production systems. Be sure what you are doing.

to disable NP ASIC Offloading Globally( this is a temp command it will return defaults after reboot. )

diag npu “npu version” fastpath disable “NP ID”

npu version is np4 on 1240b .. for 3810a it is np1.
npu ID can be from get hardware npu np4 list. also you will see which ports it is enabled on.

Here is an example for policy based(more realible way :) ),

Fortigate1240b # config vdom

Fortigate1240b (vdom) # edit MytestVdom
current vf=MytestVdom:7

Fortigate1240b (MytestVdom) # config firewall policy

Fortigate1240b (policy) # edit 44

Fortigate1240b (44) # sh
config firewall policy
edit 44
set srcintf “VLAN78”
set dstintf “VLAN66_OUT”
set srcaddr “all”
set dstaddr “all”
set action accept
set schedule “always”
set service “ANY”
next
end

Fortigate1240b (44) # set auto-asic-offload disable

Fortigate1240b (44) # sh
config firewall policy
edit 44
set srcintf “VLAN78”
set dstintf “VLAN66_OUT”
set srcaddr “all”
set dstaddr “all”
set action accept
set schedule “always”
set service “ANY”
set auto-asic-offload disable
next
end

Fortigate1240b (44) #

look at the difference below after disabling offloading..

traffic-chart

PS : This is fixed with FortiOS 5.x

FortiOS v5.0 at a glance..

Today I spent a few minutes to review new FortiOS major release version 5.

There are some reasonable changes at GUI.. At first sight, VDOMs are seperated from GLOBAL Menu.. A new feature we can now assign device based rules. Also Policy screen has some modifications .. Now we have to select two types of Policy before creating a new one.

Firewall and VPN.. Actually we had these ones already. But now they are more user-friendly in the GUI.
Firewall policy got three sub-types.. We have to select one of them ( Address , Identity Based or the new one “Device Identity” )..VPN policy has also 2 types. as you can guess.. SSL and IPSEC..

Device-Based rules has a simple idea behind it. You simply group devices by their MAC addresses. Indeed, we will be able to add MAC-Based Policy from now on..

In short words.. FortiOS v5.0 will not bring incredible features.. It just have some GUI modifications and some minor features against their major release.. But there should be lots of improvement in the background.. I will review it later but at first sight, v5 is disappointment for me.

How to debug fortigate OSPF

you may debbug your ospf configuration with the following commands

FortiOS 4.0

Forti# diagnose ip router ospf all enable
Forti# diagnose ip router ospf level info

other options are below
critical critical level
error error level
info information level
none none level
warn warning level

Forti# diagnose debug enable

to cancel the output just run “diagnose debug disable” while output flows on your screen.