- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNDR
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Technical Note: Managing the 'capability-default-o...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Description
Solution
The "set capability-default-originate" command when enabled on a neighbor will enable/disable the advertising of the default route to the BGP neighbors.
Still when deleting a neighbor that includes it the feature must be disabled first otherwise it will block the injection of any "default route" coming from any remaining BGP neighbor.
When the feature is enabled on a BGP neighbor and then that same BGP neighbor is deleted from the active BGP configuration on a FortiGate unit, the feature gets stuck and then any "default route" coming from any of the still active BGP neighbors (local or from the ISP) will not be installed on the FortiGate unit "Routing-Table".
Still when deleting a neighbor that includes it the feature must be disabled first otherwise it will block the injection of any "default route" coming from any remaining BGP neighbor.
When the feature is enabled on a BGP neighbor and then that same BGP neighbor is deleted from the active BGP configuration on a FortiGate unit, the feature gets stuck and then any "default route" coming from any of the still active BGP neighbors (local or from the ISP) will not be installed on the FortiGate unit "Routing-Table".
Solution
To be able to effectively disable this feature there are a number of options:
Note that clearing the BGP table (exec router clear bgp) or rebooting the FortiGate unit (exec reboot) does not solve this issue.
- Adding the just removed BGP neighbor once again and then disabling the feature (set capability-default-originate disable) and then after that this neighbor can now be safely removed again.
- Restarting the routing table via the CLI (exec router restart).
- Removing and adding again the full BGP configuration.
----------------------------------------------------------------------------------
# get router info bgp neighbors 50.55.55.130 routes
BGP table version is 1, local router ID is 15.15.15.15
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
* 0.0.0.0/0 50.55.55.130 0 0 61111 7999 i
Total number of prefixes 1
----------------------------------------------------------------------------------
# get router info bgp neighbors 10.255.25.25 routes
BGP table version is 1, local router ID is 15.15.15.15
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
* 0.0.0.0/0 10.255.25.25 0 0 62222 61111 7922 i
*> 10.0.0.0 10.255.25.25 0 0 62222 61010 ?
*> 10.201.16.0/21 10.255.20
----------------------------------------------------------------------------------
# get router info bgp network
BGP table version is 1, local router ID is 15.15.15.15
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
* 0.0.0.0/0 50.225.252.130 0 0 61111 7922 i
* 50.225.252.129 0 50 0 61111 7922 i
* 10.255.25.25 0 0 62222 61111 7922 i
*> 10.0.0.0 10.255.25.25 0 0 62222 61010 ?
----------------------------------------------------------------------------------
# get router info bgp network 0.0.0.0
BGP routing table entry for 0.0.0.0/0
Paths: (2 available, best #2, table Default-IP-Routing-Table)
Not advertised to any peer
61111 7999
50.55.55.130 from 50.55.55.130 (10.250.209.60)
Origin IGP metric 0, localpref 100, valid, external
Last update: Thu Mar 23 12:15:40 2017
62222 61111 7999
10.255.25.25 from 10.255.25.25 (12.12.12.12)
Origin IGP metric 0, localpref 100, valid, external
Last update: Thu Mar 23 12:06:42 2017
Local
0.0.0.0 from 0.0.0.0 (15.15.15.15)
Origin IGP, localpref 100, weight 32768, valid, sourced, local, best
Last update: Thu Mar 23 12:04:05 2017
----------------------------------------------------------------------------------
# get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
B 10.0.0.0/8 [20/0] via 10.255.25.25, INSIDE-SMITH, 00:09:22
B 10.201.111.0/21 [20/0] via 10.255.25.25, INSIDE-SMITH, 00:09:22
B 10.201.222.0/21 [20/0] via 10.255.25.25, INSIDE-SMITH, 00:09:22
B 10.201.333.0/21 [20/0] via 10.255.25.25, INSIDE-SMITH, 00:09:22
B 10.255.200.8/29 [20/0] via 10.255.25.25, INSIDE-SMITH, 00:09:22
----------------------------------------------------------------------------------
Note that clearing the BGP table (exec router clear bgp) or rebooting the FortiGate unit (exec reboot) does not solve this issue.
Labels:
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2023 Fortinet, Inc. All Rights Reserved.