Technical Tip: Understanding and configuring BGP security feature 'set enforce-first-as'.

When 'set enforce-first-as' is enabled, FortiGate checks incoming BGP UPDATE messages from eBGP peers. The leftmost (first) AS number in the AS_PATH attribute must match the configured remote-as of the sending peer.

If it matches: The update is processed normally.
If it mismatches: The update is rejected, and FortiGate logs an error like 'Incorrect leftmost AS number'. It may also send a BGP NOTIFICATION (error code 3/11: Malformed AS_PATH).

This prevents scenarios where malicious or misconfigured peers inject routes with spoofed AS paths.

Default behavior: Enabled in FortiOS v6.2+.

Configuration:

config router bgp
    set as <local-as>
    set router-id <router-id>
    set enforce-first-as enable
        config neighbor
            edit "<peer-ip>"
                set remote-as <peer-as>
                ... (other settings)
            next
        end
end

Disable (For route server or special cases):

config router bgp
    set enforce-first-as disable
end

After changing, clear the affected BGP sessions:

execute router clear bgp all

Or for a specific neighbor:

execute router clear bgp ip <neighbor-ip>

Verification and debugging:

get router info bgp summary
get router info bgp neighbors <peer-ip> received routes
diagnose ip router bgp all enable
diagnose ip router bgp level info
diagnose debug enable

Debug: Violation Occurs (enforce-first-as enabled):

BGP: 10.68.15.2-Outgoing [DECODE] Update: Starting UPDATE decoding...
BGP: 10.68.15.2-Outgoing [DECODE] **Attr ASPATH: Incorrect leftmost AS number, should be 273412**
BGP: 10.68.15.2-Outgoing [FSM] State: Established Event: 27
BGP: %BGP-3-NOTIFICATION: sending to 10.68.15.2 3/11 (UPDATE Message Error/Malformed AS_PATH.)
BGP: %BGP-5-ADJCHANGE: neighbor 10.68.15.2 Down BGP Notification