Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
msanjaypadma
Staff
Staff

Created on ‎09-23-2024 01:48 AM Edited on ‎06-11-2025 09:44 PM By Community Manager

Article Id 343097

Technical Tip: BGP Route Dampening in FortiGate Firewall

Description

 

This article describes how to configure BGP route dampening in the FortiGate Firewall.

 

Scope

 

FortiGate.

 

Solution

 

BGP route dampening is a feature that helps to prevent the instability caused by flapping BGP routes, which are routes that frequently go up and down (i.e. change their status from active to inactive or vice versa).

When a BGP route flaps, it can cause instability in the network, as other routers may start to route traffic through the flapping route, leading to packet loss and increased latency. Route dampening helps to prevent this by suppressing the advertisement of flapping routes to other BGP routers.

For more info, have a look at this website: BGP route dampening. 

 

Consider the following network setup and configuration:


network diagram.PNG

 

Fortigate-1 : 

 

FGT-1 # show sys interface port2
config system interface
    edit "port2"
        set vdom "root"
        set ip 172.31.136.106 255.255.240.0
        set allowaccess ping https ssh http telnet
        set type physical
        set snmp-index 2
    next
end

 

FGT-1 # show sys interface loopback
config system interface
    edit "loopback"
        set vdom "root"
        set ip 1.1.1.1 255.255.255.255
        set type loopback
        set snmp-index 15
    next
end

 

FGT-1 # show router bgp
config router bgp
    set as 100
        config neighbor
            edit "172.31.138.3"
                set remote-as 200
            next
        end
        config network
            edit 1
                set prefix 1.1.1.1 255.255.255.255
            next
        end
        config redistribute "connected"
        end
        config redistribute "rip"
        end
        config redistribute "ospf"
        end
        config redistribute "static"
        end
        config redistribute "isis"
        end
        config redistribute6 "connected"
        end
        config redistribute6 "rip"
        end
        config redistribute6 "ospf"
        end
        config redistribute6 "static"
        end
        config redistribute6 "isis"
        end
end

 

Fortigate-2:

To enable BGP route dampening use the command 'set dampening enable', by default it will be disabled.


FGT-2 # show sys interface port2
config system interface
    edit "port2"
        set vdom "root"
        set ip 172.31.138.3 255.255.240.0
        set allowaccess ping https ssh http telnet
        set type physical
        set snmp-index 2
   next
end

 

FGT-2 # show router bgp
config router bgp
    set as 200
    set dampening enable <-- Enable dampening.
        config neighbor
            edit "172.31.136.106"
                set remote-as 100
            next
        end
        config redistribute "connected"
        end
        config redistribute "rip"
        end
        config redistribute "ospf"
        end
        config redistribute "static"
        end
        config redistribute "isis"
        end
        config redistribute6 "connected"
        end
        config redistribute6 "rip"
        end
        config redistribute6 "ospf"
        end
        config redistribute6 "static"
        end
        config redistribute6 "isis"
        end
end

 

Verification:


Fortigate-1:

 

FGT-1 # get router info routing-table details 1.1.1.1

Routing table for VRF=0
Routing entry for 1.1.1.1/32
Known via "connected", distance 0, metric 0, best
* is directly connected, loopback


FGT-1 # get router info bgp network 1.1.1.1
VRF 0 BGP routing table entry for 1.1.1.1/32
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Advertised to non peer-group peers:
172.31.138.3
Original VRF 0
Local
0.0.0.0 from 0.0.0.0 (1.1.1.1)
Origin IGP, localpref 100, weight 32768, valid, sourced, local, best
Last update: Sun Sep 22 10:55:00 2024

 

Fortigate-2:

 

FGT-2 # get router info bgp summary

VRF 0 BGP router identifier 172.31.138.3, local AS number 200
BGP table version is 1
1 BGP AS-PATH entries
0 BGP community entries

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
172.31.136.106 4 100 260 247 0 0 0 03:36:36 1

Total number of neighbors 1

 

FGT-2 # get router info bgp network
VRF 0 BGP table version is 1, local router ID is 172.31.138.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path
*> 1.1.1.1/32 172.31.136.106 0 0 0 100 i <-/1>

Total number of prefixes 1

 

Default BGP route dampening parameters : 

 

FGT-2 # get router info bgp dampening parameters

dampening 15 750 2000 60 15
Dampening Control Block(s):
Reachability Half-Life time : 15 min
Reuse penalty : 750
Suppress penalty : 2000
Max suppress time : 60 min
Un-reachability Half-Life time : 15 min
Max penalty (ceil) : 11999
Min penalty (floor) : 375

 

BGP route dampening parameters are configurable after enabling dampening:

 

FGT # config router bgp

FGT (bgp) # show full | grep dampening
set dampening disable

FGT (bgp) # set dampening enable

FGT (bgp) # show full | grep dampening

set dampening enable
set dampening-route-map ''
set dampening-reachability-half-life 15
set dampening-reuse 750
set dampening-suppress 2000
set dampening-max-suppress-time 60
set dampening-unreachability-half-life 15


Now try to flap the 1.1.1.1/32 prefix by shutting and not the loopback interface in FGT-1 (for testing purposes to flap the route, in this example it is done a manually flap).

Fortigate-1:

 

FGT-1 # conf sys interface
FGT-1 (interface) # edit loopback
FGT-1 (loopback) # set status down
FGT-1 (loopback) # end

FGT-1 #
FGT-1 # conf sys interface
FGT-1 (interface) # edit loopback
FGT-1 (loopback) # set status up
FGT-1 (loopback) # end


Once the route flaps, BGP adds an 'h'  history status code in the front of the prefix as below.

 

Fortigate-2:

 

FGT-2 # get router info bgp network
VRF 0 BGP table version is 1, local router ID is 172.31.138.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path
h 1.1.1.1/32 172.31.136.106 0 0 0 100 i <-/->

Total number of prefixes 1

 

FGT-2 # get router info bgp dampening flap-statistics
VRF 0 BGP table version is 1, local router ID is 172.31.138.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network From Flaps Duration Reuse Path
*> 1.1.1.1/32 172.31.136.106 1 00:00:41 100 i <-/1>

Total number of prefixes 1


If the route is flapped thrice, then the next time the route status will be marked as damped 'd' and the route will not be installed in the routing table (RIB) and will not be advertised to any peer.

 

FGT-2 # get router info bgp summary

VRF 0 BGP router identifier 172.31.138.3, local AS number 200
BGP table version is 1
1 BGP AS-PATH entries
0 BGP community entries

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
172.31.136.106 4 100 298 279 0 0 0 04:04:18 1

Total number of neighbors 1


FGT-2 # get router info bgp neighbors 172.31.136.106 route
VRF 0 BGP table version is 1, local router ID is 172.31.138.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path
*d 1.1.1.1/32 172.31.136.106 0 0 0 100 i <-/-> <--

Total number of prefixes 1

 

FGT-2 # get router info bgp dampening flap-statistics
VRF 0 BGP table version is 1, local router ID is 172.31.138.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network From Flaps Duration Reuse Path
*d 1.1.1.1/32 172.31.136.106 3 00:20:14 00:14:10 100 i <-/->

FGT-2 # get router info routing-table details 1.1.1.1

Routing table for VRF=0
Routing entry for 0.0.0.0/0 <-- Default route, no route for 1.1.1.1/32.
Known via "static", distance 10, metric 0, best
* vrf 0 10.5.31.254, via port1

 

Once the reuse timer is reset to 0 then the route will get added into the routing table back. 

 

FGT-2 # get router info bgp dampening flap-statistics
VRF 0 BGP table version is 1, local router ID is 172.31.138.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network From Flaps Duration Reuse Path
*d 1.1.1.1/32 172.31.136.106 3 00:34:45 00:00:10 100 i <-/->

Total number of prefixes 1


FGT-2 # get router info bgp dampening flap-statistics
VRF 0 BGP table version is 1, local router ID is 172.31.138.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network From Flaps Duration Reuse Path
*> 1.1.1.1/32 172.31.136.106 3 00:34:51 100 i <-/1>

Total number of prefixes 1


FGT-2 # get router info routing-table details 1.1.1.1

Routing table for VRF=0
Routing entry for 1.1.1.1/32
Known via "bgp", distance 20, metric 0, best
Last update 00:00:10 ago
* vrf 0 172.31.136.106 priority 1 (recursive is directly connected, port2)

 

It is possible to force-stop dampening and add the route again in the FIB table without waiting for the reuse timer to reset:

 

execute router clear bgp dampening <ip_address> 

 

Or:


execute router clear bgp dampening <ip/netmask>

2992
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.