Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
aishaqui
Contributor

Created on ‎01-22-2024 10:53 PM Edited on ‎08-27-2025 01:28 AM By Moderator

Article Id 295458

Technical Tip: 'get router info bgp network x.x.x.x' shows the output for a prefix even if it does not match the route map

 

Description

This article describes that 'get router info bgp network x.x.x.x' shows the output for a prefix even if it does not match the route map.
Scope

FortiGate.
Solution

For example, consider a static route configured in FortiGate with a tag (in this case, 1122), and based on tag matching, it is necessary to filter static route redistribution into BGP.


config router static
    edit 2
        set dst 1.2.3.0 255.255.255.0
        set gateway 10.9.15.254
        set distance 254
        set device "port17"
    next
    edit 3
        set dst 4.5.6.0 255.255.255.0
        set gateway 10.9.15.254
        set distance 254
        set device "port17"
        set tag 1122
    next
end

  • Create a route map as below:


FGT # config router route-map
    edit "match-tag"
        config rule
            edit 1
                set match-tag 1122
            next
            edit 2
                set action deny
            next
        end
    next
end

  • Use route-map 'match-tag' in BGP configuration:

 

FGT # config router-bgp
    config redistribute "static"
        set status enable
        set route-map "match-tag"
    end
end


The output of 'get router info bgp network' shows a prefix (in this case 4.5.6.0) in the output since the static route for this prefix has tag 1122. It is also possible to confirm this but checking the learned routes on the remote BGP peer by using the command 'get router info bgp neighbor x.x.x.x received-routes'.

 

FGT # get router info bgp network <--- Shows the BGP database.
VRF 0 BGP table version is 1, local router ID is 10.9.0.187
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network Next Hop Metric LocPrf Weight RouteTag Path
*> 4.5.6.0/24 10.9.15.254 32768 0 ? <-/1>

Total number of prefixes 1


But if the output of 'get router info bgp network x.x.x.x' is checked, the output for all prefixes which are matching tags and which are not will be visible.


FG1K5D-1 # get router info bgp network 1.2.3.0
VRF 0 BGP routing table entry for 1.2.3.0/24
Paths: (1 available, no best path)
  Not advertised to any peer
  Original VRF 0
  Local
    10.9.15.254 (inaccessible) from 0.0.0.0 (10.9.0.187)
      Origin incomplete, localpref 100, weight 32768, valid, sourced
      Last update: Wed Dec 31 19:00:00 1969

FG1K5D-1 # get router info bgp network 4.5.6.7
VRF 0 BGP routing table entry for 4.5.6.0/24
Paths: (1 available, best 1, table Default-IP-Routing-Table)
  Advertised to non peer-group peers:
   10.9.0.210
  Original VRF 0
  Local
    10.9.15.254 from 0.0.0.0 (10.9.0.187)
      Origin incomplete, tag 1122, localpref 100, weight 32768, valid, sourced, best
      Last update: Thu Jan 11 09:29:14 2024

 

This is expected behavior, even though the FortiGate will display the output of 'get router info bgp network x.x.x.x' for the prefix, even if it does not match the route map, but it mentions that this is inaccessible and 'Not advertised to any peer', while the prefix that matches the route map clearly shows 'Advertised to non-peer-group peers'.

 

2880
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.