The other day I needed to lock down who can connect to our Fortigate to register a forticlient. This was very important due to that fact we were pushing VPN policies to our clients.
You can configure a Password for client registration by going to System – Config – Advanced and its right there.
To register the client open Forticlient and at the top right you will register – it will then prompt you for that password before you can register.
The following command will set an interface to defaults. Lets say I have about 10 commands on the interface specifying Voice, Access, Trunk, Spanning tree – etc, and I want to quickly throw that port back to default. I can issue this command
config t default interface gig 1/0/1
And its back to default, no configuration!
This command was introduced in IOS 11.1, so it should be in about every switch out there now.
Recently I had a project where 1 Fortigate had two MPLS networks connected for redundant connections. These two MPLS networks were from different providers. I had a few problems where networks from other peers were transiting through my device to be advertised out to these links. I did not want this to happen. There are many ways to do this exact thing, but what I did was use an AS path filter with regular expressions to find anything passing through my remote peers and block them going out on the opposite peer. The image below will sum up what I just wrote a little better:
So as with almost all BGP commands on Fortinet – they have to be done through CLI. The following are the commands needed to create the AS-Path list, Create the Route map, then apply the route map to our neighbor. We are using regular expressions to map grab our AS path, you might say what the heck is a regular expression? Here is a link that explains how to put an expression together http://blog.ine.com/2008/01/06/understanding-bgp-regular-expressions/ . If you notice what I am doing “_65000_” This basically says that if 65000 is in the AS Path block it. the _ is a space so my expression reads – Anything before 65000 or after 65000 gets blocked. For example, if you wanted to block routes that originate from 65000 you could do “_65000” or “_65000$” The dollar sign means that is the end of the string, so nothing else beyond that.
config router aspath-list
edit Match-L3
config rule
edit 10
set action deny
set regexp _65000_
end
next
edit Match-WS
config rule
edit 10
set action deny
set regexp _65400_
end
end
config router route-map
edit Block-WS
config rule
edit 10
set match-as-path Match-WS
next
edit 11 — Note- There is a deny all on the Routemap, this rule 11 basically says permit anything else
end
next
edit Block-L3
config rule
edit 10
set match-as-path Match-L3
next — Note- There is a deny all on the Routemap, this rule 11 basically says permit anything else
edit 11
end
end
config neighbor
edit “2.2.2.1”
set capability-default-originate enable
set remote-as 65400
set route-map-out “Block-L3”
set send-community6 disable
next
edit “1.1.1.1”
set remote-as 65000
set route-map-out “Block-WS”
set send-community6 disable
next
end
Now we have to flush those routes, we can do this with the command:
exe router clear bgp ip 1.1.1.1 soft out
exe router clear bgp ip 2.2.2.1 soft out
After you clear you should see a good drop in routes being advertised to those neighbors.
get router inforĀ bgp neigh 1.1.1.1 advertised-routes
Sometimes it is necessary to track an interface state to bring down a certain route.
In my case I have a Multihomed scenario, and two routers. In this case the upstream routers do not know about each other, the downstream routers make the routing decisions for the network.
I have a static route configured pointed to the ISP, I am redistributing that static route to my clients through OSPF. If the state goes down on the interface then the router will take it out of its routing table. You can do this by pining an IP address, UDP Jitter, State, etc.. many ways.
Commands:
config t
track 100 interface GigabitEthernet0/2 line-protocol
ip route 0.0.0.0 0.0.0.0 1.1.1.1 track 100
exit
You can use commands like:
show track
show track int
show track bri
Recent Comments