Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
shahrukh_khan
Staff
Staff

Created on ā€Ž08-28-2025 12:57 AM Edited on ā€Ž08-29-2025 08:21 AM By Moderator

Article Id 408359

Technical Tip: Understanding the BGP 'set bestpath-as-path-ignore enable' command in FortiGate firewalls

Description This article describes the Use Case of 'set bestpath-as-path-ignore enable' command.
Scope FortiGate.
Solution

In FortiGate firewalls, BGP configurations allow network administrators to fine-tune path selection for optimal routing. One such tuning option is the command 'set bestpath-as-path-ignore enable', which instructs BGP to ignore the AS path length during the best path selection process.

 

By default, BGP uses a multi-step algorithm to select the best path for a prefix. One key step compares the AS path length: shorter AS paths are preferred as they typically indicate fewer hops and potentially lower latency or better performance. However, in certain scenarios, one might want to prioritize other attributes (e.g., local preference, Multi-Exit Discriminator (MED), or IGP metric) over AS path length. Enabling bestpath-as-path-ignore skips this comparison, allowing paths with longer AS paths to be selected if they excel in other criteria.

 

For example, in a scenario with FortiGate devices in AS 65001 (spokes) peering with a central FortiGate in AS 65006 (hub), and an external AS 65007 introducing variable path lengths, enabling this could ensure selection based on MED or local preference for better traffic engineering.

Scenario Description.

Consider a simplified network topology based on a FortiGate setup:

  • FGT-1 (AS 65001): Acts as a spoke router, advertising prefixes like 11.11.11.0/24 and receiving routes from peers.
  • FGT-6 (AS 65006): Acts as a hub router, peering with multiple spokes in AS 65001 and an external AS 65007.
  • Multiple eBGP peers between FGT-1 and FGT-6 over tunnels (e.g., via IPs like 101.101.101.1 and 201.201.201.1).
  • An external network in AS 65007 advertises prefixes like 77.77.77.0/24, reachable via paths of varying AS lengths (e.g., direct vs. via another AS).
  • Without ignoring the AS path, BGP might select a longer but suboptimal path. Enabling the command shifts focus to other attributes.

 

Demonstrate by configuring this on FGT-6, where multiple paths to 77.77.77.0/24 exist: one with AS path length 2 (65001 65007) and another with length 3 (65001 65002 65007, simulated via prepending).

To enable set bestpath-as-path-ignore on a FortiGate, follow these steps via CLI:

This applies globally to the BGP process.

 

config router bgp

    set bestpath-as-path-ignore enable
end

 

Note: This does not affect other path selection steps; it only skips AS path length comparison.

Optional: Configure Other Attributes for Testing: To make the effect visible, ensure paths differ in AS length but have varying local preference or MED.

Example: Set local preference on one neighbor.

 
config neighbor
    edit "101.101.101.1"
        set local-preference 200 <----- Higher preference on this neighbor.
    next
end

Full example config snippet for FGT-6:

 

config router bgp
    set as 65006
    set bestpath-as-path-ignore enable <----- Key command here.
        config neighbor
            edit "101.101.101.1"
                set capability-graceful-restart enable
                set soft-reconfiguration enable
                set remote-as 65001
                set local-preference 200 <----- Prefer this path despite longer AS.
           next
end
 
Verification:

To illustrate the effect, here are logs from FGT-6, two paths to 77.77.77.0/24:

  • Path 1 (via 101.101.101.1): AS path 65001 65007 (length 2), local pref 100.
  • Path 2 (via 201.201.201.1): AS path 65001 65002 65007 (length 3, longer due to prepending), local pref 200.

 

Before enabling bestpath-as-path-ignore (Default: Shorter AS path preferred):

Best path: Shorter AS path selected, ignoring higher local pref.

 

FGT-6 # get router info bgp network 77.77.77.0/24
VRF 0 BGP routing table entry for 77.77.77.0/24
Paths: (2 available, best #1, table Default-IP-Routing-Table)
Original VRF 0
65001 65007 # Shorter path (length 2)
101.101.101.1 from 101.101.101.1 (19.19.19.19)
Origin IGP metric 0, localpref 100, valid, external, best
Last update: Tue Aug 26 12:15:57 2025
Original VRF 0
65001 65002 65007 # Longer path (length 3)
201.201.201.1 from 201.201.201.1 (19.19.19.19)
Origin IGP metric 0, localpref 200, valid, external
Last update: Tue Aug 26 12:15:57 2025
 
After enabling bestpath-as-path-ignore (Ignores length, selects based on local pref):

Best path: Longer AS path selected because local preference is higher, as AS length is ignored.

 

FGT-6 # get router info bgp network 77.77.77.0/24
VRF 0 BGP routing table entry for 77.77.77.0/24
Paths: (2 available, best #2, table Default-IP-Routing-Table)
Original VRF 0
65001 65007 # Shorter path
101.101.101.1 from 101.101.101.1 (19.19.19.19)
Origin IGP metric 0, localpref 100, valid, external
Last update: Tue Aug 26 12:15:57 2025
Original VRF 0
65001 65002 65007 # Longer path now best due to higher local pref
201.201.201.1 from 201.201.201.1 (19.19.19.19)
Origin IGP metric 0, localpref 200, valid, external, best
Last update: Tue Aug 26 12:15:57 2025
 
Routing Table Impact:
 
FGT-6 # get router info routing-table database
B *> 77.77.77.0/24 [20/0] via 201.201.201.1 (recursive via tunnel), 00:05:00, [1/0] <----- Now uses the preferred path.
 
Related article:
178
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.