Staff

Technical Tip: Understanding FortiGate Behavior with set attribute-unchanged as-path in eBGP

Forum|Forum|7 months ago
October 16, 2025
0 replies
672 views

Description

This article describes the behavior of a FortiGate during route advertisement to an external BGP (eBGP) peer when the set attribute-unchanged as-path option is configured.

Scope

FortiGate.

Solution

By default, when advertising a route to an eBGP peer, the FortiGate automatically prepends its own AS number to the AS-PATH attribute. This behavior is part of the standard BGP loop-prevention mechanism, ensuring that a router’s AS is visible in the path and avoiding routing loops.

When the set attribute-unchanged as-path option is configured, the FortiGate preserves the original AS-PATH attribute and advertises the route to the eBGP peer without adding its own AS number.

This feature is typically used in special scenarios such as:

Route server deployments at Internet Exchange Points (IXPs).
Carrier or service-provider environments.

Diagram:

2.2.2.2/32-----FGT1 (192.168.1.1)-------(192.168.1.2 ) ISP (192.168.100.1)-------(192.168.100.2) FGT2

FGT1 # show router bgp

config router bgp

set as 65000

set router-id 1.1.1.1

config neighbor

edit "192.168.1.2"

set remote-as 65001

config redistribute "static"

set status enable

end

FGT1 # show router static

config router static

edit 1

set dst 2.2.2.2 255.255.255.255

set gateway 10.254.1.100

set device "port1"

ISP # show router bgp

config router bgp

set as 65001

set router-id 2.2.2.2

config neighbor

edit "192.168.1.1"

set remote-as 65000

set soft-reconfiguration enable

set remote-as 65002

FGT2 # show router bgp

config router bgp

set as 65002

set router-id 3.3.3.3

config neighbor

edit "192.168.100.1"

set soft-reconfiguration enable

set remote-as 65001

Initial Behavior (Default eBGP):

FGT1 advertises route 2.2.2.2/32 to its eBGP peer, the ISP (AS 65001).
ISP forwards the route to FGT2 with prepending its own AS.
By default, the AS-PATH is modified, so FGT2 sees the route as coming from 65001 65000, where 65001 (ISP) is prepended to the original AS-PATH.

FGT2 # get router info bgp summary

VRF 0 BGP router identifier 3.3.3.3, local AS number 65002

BGP table version is 1

1 BGP AS-PATH entries

0 BGP community entries

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

192.168.100.1 4 65001 25 24 0 0 0 00:04:47 1

Total number of neighbors 1

FGT2 # get router info bgp neighbors 192.168.100.1 received-routes

VRF 0 BGP table version is 1, local router ID is 3.3.3.3

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path

*> 2.2.2.2/32 192.168.100.1 0 0 65001 65000 ? <-/->

Total number of prefixes 1

Behavior after configuration:

FGT1 advertises route 2.2.2.2/32 -> AS-PATH {65000}.
ISP forwards the route to FGT2 without prepending its own AS.
FGT2 sees the route as coming directly from AS 65000.

ISP # show router bgp

config router bgp

set as 65001

set router-id 2.2.2.2

config neighbor

edit "192.168.1.1"

set remote-as 65000

set attribute-unchanged as-path <-----

set soft-reconfiguration enable

set remote-as 65002

FGT2 # get router info bgp neighbors 192.168.100.1 received-routes

VRF 0 BGP table version is 1, local router ID is 3.3.3.3

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path

*> 2.2.2.2/32 192.168.100.1 0 0 65000 ? <-/->

Total number of prefixes 1

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded