Route filtering with a distribution list

During BGP operations, routes can be propagated between BGP peers and redistributed from other routing protocols. In some situations, advertising routes from one peer to another might need to be prevented.

The Basic BGP example explains using a route map to filter routes that are learned from iBGP to prevent them from propagating to an eBGP peer. In this example, a distribution list is used to prevent certain routes from one peer from being advertised to another peer.

  • A company has its own web and email servers in an OSPF area, and needs to advertise routes to these resources to external peers. Users, routers, and other server all reside in the OSPF area.

  • The FortiGate acts as the BGP border router, redistributing routes from the company's network to its BGP peers. It is connected to the OSPF area using its DMZ interface.

  • Two ISP managed BGP peers in an AS (Peer 1 and Peer 2) are used to access the internet, and routes must not to be advertised from Peer 1 to Peer 2. The manufacturers of these routers, and information about other devices on the external BGP AS, are not known.

  • Routes to the BGP peers are redistributed so that external locations can access the web and email servers in the OSPF area. The FortiGate device's external interfaces and the BGP peers are in different ASs, and form eBGP peers.

  • Other networking devices must be configured for BGP. The peer routers must be updated with the FortiGate device's BGP information, including IP addresses, AS number, and any specific capabilities that are used, such as IPv6, graceful restart, BFD, and so on.

  • It is assumed that security policies have been configured to allow traffic between the networks and NAT is not used. To tighten security, only the required services should be allowed inbound to the various servers.

  • In a real life scenario, public IP addresses would be used in place of private IP addresses.

Configuring BGP

In this example, Peer 1 routes are blocked from being advertised to Peer 2 using an access list. All incoming routes from Peer 1 are blocked when updates are sent to Peer 2.

Routes learned from OSPF are redistributed into BGP. EBGP multi path is enabled to load-balance traffic between the peers using ECMP. See Equal cost multi-path for more information.

To configure BGP in the GUI:
  1. Configure an access list to block Peer 1 routes:

    1. Go to Network > Routing Objects and click Create New > Access List.

    2. Set Name to block_peer1.

    3. In the Rules table, click Create New.

    4. Set Action to Deny.

    5. Enable Exact Match and specify the prefix

    6. Click OK.

    7. Click OK.

  2. Configure BGP:

    1. Go to Network > BGP.

    2. Set Local AS to 65001

    3. Set Router ID to

    4. In the Neighbors table, click Create New and set the following:


      Remote AS


    5. Click OK.

    6. In the Neighbors table, click Create New again and set the following:


      Remote AS


      Distribute list out

      Enable, and select the block_peer1 access list.

    7. Click OK.

    8. Under IPv4 Redistribute, enable OSPF and select ALL.

    9. Expand Best Path Selection and enable EBGP multi path.

    10. Click Apply.

To configure BGP in the CLI:
  1. Configure an access list to block Peer 1 routes:

    config router access-list
        edit "block_peer1"
            config rule
                edit 1
                    set action deny
                    set prefix
                    set exact-match enable
  2. Configure BGP:

    config router bgp
        set as 65001
        set router-id
        set ebgp-multipath enable
        config neighbor
            edit ""
                set remote-as 65001
            edit ""
                set distribute-list-out "block_peer1"
                set remote-as 65001
        config redistribute "ospf"
            set status enable

Configuring OSPF

In this example, all of the traffic is within the one OSPF area, and there are other OSPF routers in the network. When adjacencies are formed, other routers receive the routes advertised from the FortiGate that are redistributed from BGP.

To configure OSPF in the GUI:
  1. Go to Network > OSPF.

  2. Set Router ID to

  3. In the Areas table, click Create New and set the following:

    Area ID





  4. Click OK.

  5. In the Networks table, click Create New and set the following: