Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sdabhade
Staff
Staff

Created on ‎04-28-2022 09:43 PM Edited on ‎01-02-2025 12:06 AM By Community Manager

Article Id 210838

Technical Tip: 'capability-route-refresh' in BGP

Description

This article describes the 'capability-route-refresh' in BGP.
Scope FortiGate.
Solution
  1. By default, the 'capability-route-refresh' is enabled under the BGP neighbor.

 

config router bgp

   config neighbor

        edit <BGP-NEIGHBOR-IP>

               set capability-route-refresh enable

  next

 end

end

 

  1. Route refresh capability must have been negotiated in the BGP OPEN message when the BGP session is established.

 

vdom2 # get router info bgp neighbors 10.144.127.1 | grep capabilities -A 1
Neighbor capabilities:

Route refresh: advertised and received (old and new)

 

If the remote peer is not configured for Route Refresh, FortiGate will not show 'received'.

vdom2 # get router info bgp neighbors 10.144.127.1 | grep capabilities -A 1
Neighbor capabilities:
Route refresh: advertised

 

  1. Command to perform the route refresh.

 

Fortigate# execute router clear bgp ip <neighbor_ip> [in|out]

 

  • out: Resend all routes to the neighbor in the BGP UPDATE message without resetting the connection. Recommended when changing outbound policy. ROUTE-REFRESH is not required when sending outbound routes.
  • in : Sends a ROUTE-REFRESH request message to the BGP neighbor so that neighbor re-sends all BGP routes in the BGP UPDATE message. Recommended when changing inbound policy.

 

Ensure that 'soft-reconfiguration' is disabled.

If soft-reconfiguration is enabled, FortiGate will store a local unmodified database of all routes received from the BGP neighbor and will use this database when performing 'execute router clear bgp ip <neighbor_ip> in'. FortiGate does not send any ROUTE-REFRESH message for ipv4 address family in this case.

The end result of a soft reset is similar with or without soft-reconfiguration enabled, but when enabled the FortiGate stores an additional copy of the database, which consumes additional memory. See the article 'Technical Tip: BGP - Soft Reconfiguration vs. Route Refresh'.

 

config router bgp

    config neighbor

        edit <BGP-NEIGHBOR-IP>

            set capability-route-refresh enable

            set soft-reconfiguration disable

        next

    end

end


Note: 

Changing bgp capability configuration will hard reset the bgp neighbor peering and impact data traffic. Changing soft-reconfiguration configuration does not hard reset the bgp peering.

  1. FortiGate does not support the BGP capability code 70 'Enhanced route refresh capability'  [RFC7313].

 

If the BGP neighbor (another vendor device) advertises that capability this does not prevent BGP negotiation from succeeding if FortiGate is using the default configuration 'set ignore-optional-capability enable'.

 

config router bgp

set ignore-optional-capability enable

end
Labels:
9334
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.