BGP on Fortigate FW is configured with aggregation address to summarize all 10.x.x.x network to 10.0.0.0/8. In routing table, we could see "10.0.0.0/8 Null" entries due to this summarization. If there is no more specific routes within 10.0.0.0/8 is learned from BGP peers, the above "10.0.0.0/8 Null" entry should not stay in routing table since there isn't more specific prefixes learned via BGP. In our case, Fortigate FW learned 10.0.0.0/8 route from its internal neighbour via BGP. But FortiGate FW decided to keep "10.0.0./8 Null" in the routing table instead of 10.0.0.0/8 learned from other BGP peer.
I tested this scenario on Cisco router, when aggregation-address 10.0.0.0/8 is configured and there is no more specific routes learned from BGP peer, Cisco router will install 10.0.0.0/8 which is learned from BGP neighbour and is the exactly same as aggregation address into the routing table instead of "10.0.0.0/8 Null".
Anyone know if Fortigate FW changes this behaviour in the latest version? This breaks our redundancy design which works fine on Cisco router but not on Fortigate FW.
Very appreciate your help.
I would like to clarify my question to see if someone knows the answer.
For example, Fortigate FW has eBGP peers with Router A and Router B respectively. FW learned some 10.x.x.x prefixes from Router A. So the aggregation-address was configured to summarize all 10.x.x.x networks to 10.0.0.0/8. A "10.0.0.0/8 null" entry will be added into routing table automatically as well due to this summarization.
Now FW lost its connectivity from Router A, all specific routes of 10.x.x.x networks will not be learned from Router A any more. In the meanwhile, FW learned 10.0.0.0/8 prefix from Router B which is the same prefix as the summarized entry on FW. If this scenario happens on Cisco router, Cisco router will install the 10.0.0.0/8 which is learned from Router B into the routing table and the local summarized entry "10.0.0.0/8 null" will be removed since there is no specific 10.x.x.x subnets are learned any more. But FortiGate FW will keep the local summarized entry "10.0.0.0/8 null" in the routing table instead.
In our case, Router B is our backup router, when FW lost the connection to Router A, it should forward the packet with the destination IP 10.x.x.x to Router B by following the prefix 10.0.0.0/8 which is learned from Router B. This is working fine in Cisco environment but broken on FortiGate FW since "10.0.0.0/8 null" entry stay in routing table.
My question is if ForiNet change this behavior?
A topo would help, but let's assumed info that we don't have or that's not clear.
Your sending the 10.0.0.0/8 or a network(s) via the BGP peerA., and you have what configured in the fortigate ?
2nd are router A & B configured the same using the "aggregate-address" and with the summary-only to drop all other prefixes caught in the summary? ( your explanation leaves alot of information out )
3rd, when you fail the routerA , "what's being sent specifically by router prefixes ( summary only, summary plus more specifics,etc....)
4th, same applys when you have router A only and router B is down. Basically what does the routerA/B and fortigate advertise?
5th, are you TRYING SUMMARIZE IN THE FIREWALL ( I believe you are , but it's not clear & with this new information )
Basically provide a copy of the bgp router tables & configurations ( so we can see all bgp attributes locl_prefs,etc....)
start with the cli cmd get router info bgp and show router bgp and the config aggregate-address if your aggregating in the firewall
btw, I never heard of anybody trying to summarize networks learned via a eBGP advertisement it is doable bu I don't know how route summarization works in a firewall like fortigate. Summarizing like that can lead into black_holes that temds drop traffic due to the summary routes "says I have this network path send traffic to me ". I only tend to aggregate routes "that I advertise" not that what's received.
PCNSE
NSE
StrongSwan
 
					
				
				
			
		
| User | Count | 
|---|---|
| 2678 | |
| 1412 | |
| 810 | |
| 703 | |
| 455 | 
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.