Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ezhupa
Staff
Staff

Created on ‎09-12-2025 03:57 AM Edited on ‎11-22-2025 05:44 AM By Moderator

Article Id 410597

Technical Tip: Graceful restart feature not supported with BGP neighbor-group and neighbor-range commands

 

Description This article describes issues with the Graceful Restart feature when used with BGP neighbor groups and neighbor-range commands.
Scope FortiGate, FortiOS.
Solution

When multiple BGP neighbors must be configured, administrators may streamline the process by creating BGP neighbor groups and neighbor-range commands.

 

As an example:

 

config router bgp
    set as Y.Y.Y.Y
    set router-id z.z.z.z
    set holdtime-timer 60
    set ebgp-multipath enable
    set ibgp-multipath enable
    set additional-path enable
    set graceful-restart enable
    next
end


config neighbor-group
    edit "test_1"
        set capability-graceful-restart enable
        set link-down-failover enable
        set next-hop-self enable
        set soft-reconfiguration enable
        set remote-as X.X.X.X
    next
end


config neighbor-range
    edit 1
        set prefix 192.10.10.0 255.255.255.0
        set neighbor-group "test_1"
    next
end

 

Administrators typically also enable the Graceful Restart feature to prevent network disruptions and packet loss during an HA failover or when the primary FortiGate in an HA cluster is rebooted.

 

When using a BGP neighbor-group is used, packet loss may occur during failover testing.
Reverting the configuration to manually configured neighbors eliminates the packet loss, indicating a potential issue with Graceful Restart when using BGP neighbor-group and neighbor-range commands.

 

Conclusion:

Since neighbor-groups are passive and cannot trigger a re-connection, it is expected that neighbor-groups defined with neighbor-range cannot perform Graceful Restart when it is the side that initiates a restart.


BGP graceful restart against dynamic BGP peers during a HA failover is not supported at this time in FortiOS.

 

To prevent packet loss using BGP neighbor-groups on SD-WAN Hubs, each spoke must activate the route-stale option on BGP neighborship with each Hub:

 

config router bgp

    config neighbor

        edit Y.Y.Y.Y

            set stale-route enable

        next

end

 

Instead, in order to benefit fully from the Grace Restart feature, BGP configuration would need to be modified to manually configure neighbors instead of neighbor-groups defined with neighbor-range.

 

Related articles:

Technical Tip: Configuring FortiGate HA and BGP graceful-restart to avoid traffic interruption durin... 
Technical Tip: Understanding Graceful restart and non-stop forwarding for BGP in FortiGate HA 
Technical Tip: Understanding Graceful restart and non-stop forwarding for OSPF in FortiGate HA 

 

Labels:
519
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.