Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
FortiArt
Staff
Staff

Created on ‎02-19-2024 09:54 AM Edited on ‎07-24-2025 10:46 AM By Community Manager

Article Id 300141

Troubleshooting Tip: Effects of a misconfigured subnet mask in a 'prefix' command on BGP peer advertisements

Description This article describes issues where BGP advertising does not occur for a network defined under the 'prefix' command and offers possible solutions.
Scope All supported FortiGate models.
Solution

Introduction:

 

Consider the following topology:

 

diagram.JPG

 

Consider the following BGP configuration (only the relevant settings are shown):

 

FortiGate 1:

 

config system interface
    edit "port2"
        set vdom "root"
        set ip 10.11.12.1 255.255.255.252
    next
end
config router bgp
    set as 65500
    set router-id 10.9.11.84
    config neighbor
        edit "10.9.10.209"
            set remote-as 65500
        next
    end
    config network
        edit 1
            set prefix 10.11.12.0 255.255.255.0 <----- Misconfigured subnet mask, this will not be advertised to peer.
        next
    end
end

 

FortiGate 2:

 

config system interface
    edit "port2"
        set vdom "root"
        set ip 10.11.13.1 255.255.255.0
    next
end
config router bgp
    set as 65500
    set router-id 10.9.10.209
    config neighbor
        edit "10.9.11.84"
            set remote-as 65500
        next
    end
    config network
        edit 1
            set prefix 10.11.13.0 255.255.255.0 <----- Subnet mask is correct, this network will be advertised to peer.
        next
    end
end

 

Troubleshooting scenario:

 

In FortiGate 1, the port2 subnet is 10.11.12.0/30. However, the subnet mask configured for the 'prefix' is 10.11.12.0/24. This will not allow FortiGate 1 to advertise the subnet to FGT-2.  This is due to the route for 10.11.12.0/24 not being present in the routing table of FGT-1. 

 

Upon running the following commands, the results are as follows:

 

FortiGate 1:

 

get router info bgp neighbors 10.9.10.209 advertised-routes <----- Will not show the subnet as an advertised route.

 

FortiGate 2:

 

get router info bgp neighbors 10.9.11.84 received-routes <----- Will not show the subnet as a received route.

 

Possible solutions:

 

In order to advertise subnet 10.11.12.0/30 on FortiGate 1 to FortiGate 2, implement any of the following three solutions:

 

  1. Fix the subnet mask under the 'prefix' command.
  2. Disable the 'network-import-check' command.
  3. Enable 'redistribute connected'.

 

For information about the 'network-import-check' command see: Advertise a BGP route not present in the routing table using network-import-check 

 

Note: Solution 3 will force FortiGate 1 to advertise all connected subnets to FortiGate 2. If this not desired, then route-maps can be used to filter the advertised routes on FortiGate 1 or filter the received routes on FortiGate 2.

 

To configure route-maps see the documentation: Route maps.

 

Note: after implementing any solution, allow some time for the BGP process to update routing information.
Labels:
653
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.