Scenario description:
 FW01 advertises internal network routes and summarizes them as a supernet (for example, 10.10.0.0/16). FW02 learns this supernet (10.10.0.0/16) from FW01 via BGP. FW02 is configured with aggregate-address 10.10.0.0/16 and advertises the summary route to FW03. FW03 advertises a more specific route (for example, 10.10.10.10/32) that falls within the same supernet (10.10.0.0/16) back to FW02.
Result:
When FW02 receives the more specific route (/32), it becomes a contributing route for the configured aggregate. FW02 generates a local aggregate route for 10.10.0.0/16. Due to BGP best-path selection (higher weight for locally originated routes), the aggregate route is selected as the best path. The routing table on FW02 is updated as follows: B 10.10.0.0/16 [200/0] is a summary, Null, 00:00:57, [1/0].
As a result, traffic destined for 10.10.0.0/16 may be dropped (blackholed), even though a valid path is still learned from FW01.
Verification:
Run the following commands on FW02:
get router info bgp network 10.10.0.0/16
Example output:
VRF 0 BGP routing table entry for 10.10.0.0/16
Paths: (2 available, best #1, table Default-IP-Routing-Table)
Advertised to non peer-group peers:
172.31.180.253 172.31.183.2
Original VRF 0
Local, (aggregated by 65000 172.31.180.1)
0.0.0.0 from 0.0.0.0 (172.31.180.1)
Origin IGP, localpref 100, weight 32768, valid, aggregated, local, atomic-aggregate, best
Advertised Path ID: 1
Last update: Thu Apr 30 00:17:06 2026
Original VRF 0
65180
172.31.180.253 from 172.31.180.253 (192.168.31.0)
Origin IGP metric 0, localpref 100, valid, external
Last update: Wed Apr 29 23:42:06 2026
Check the routing table:
get router info routing-table all | grep 10.10.0.0
B 10.10.0.0/16 [200/0] is a summary, Null, 00:08:28, [1/0]
Root cause:
When a more specific route (for example, /32) is received, it becomes a contributing route for the configured aggregate.
Marked as aggregated and local Installed with a Null (discard) next-hop Local aggregate route: Weight 32768 Learned route (from FW01): Weight 0 Since weight is the first attribute evaluated in the BGP best path selection process, the locally generated aggregate is always preferred. When a BGP router generates an aggregate, a Null route is installed as a loop-prevention mechanism. This ensures that traffic destined for unknown sub-prefixes within the aggregate is safely discarded instead of potentially looping.
Note: Administrative Distance (AD) is applied after BGP best-path selection and does not influence which BGP path is selected.
Solution:Â This issue can be resolved using one of the following methods:
Remove aggregate-address.
If the FortiGate is already learning the supernet from an upstream device, local aggregation of the same prefix should be avoided. It can be removed under bgp configuration:
config router bgp
config aggregate-address
delete <ID>
Adjust weight.
The learned route can be preferred by assigning it a higher weight than the locally generated aggregate.
Example configuration:
config router route-map
edit "ChangeWeight"
config rule
edit 2
set set-weight 33000
next
end
config router bgp
config neighbor
edit "172.31.180.253"
set route-map-in "ChangeWeight"
end
Note: Modifying weight may introduce additional complexity in troubleshooting and should be used with caution.
Conclusion:
When aggregate-address is configured, FortiGate may generate a local summary route that overrides a learned route due to higher BGP weight. This behavior is expected but can lead to unintended traffic blackholing if not properly designed.
| 
