Technical Tip: Bidirectional Forwarding Detection (BFD) with static routes

Bidirectional Forwarding Detection (BFD) is designed to detect failures in the bidirectional path between two forwarding engines quickly. In FortiGate devices running FortiOS, BFD can be integrated with static routes to provide faster failover compared to traditional methods.

When BFD is enabled on a static route, FortiGate monitors the reachability of the next-hop gateway using BFD control packets. If the BFD session goes down (indicating a path failure), the associated static route is withdrawn from the routing table. When the session recovers, the route is reinstated. This enables rapid convergence in redundant setups using multiple static routes with different priorities or administrative distances.

Topology:

Consider two FortiGate devices, with redundant paths simulated through backup gateways:

• FortiGate A (primary device with static routes):
  port1 IP: 10.180.6.237/20.
• FortiGate B (next-hop peer):
  port1 IP: 10.180.4.136/20.

Destination host/network: 1.1.1.1/32 (behind FortiGate B or reachable via gateways).
Backup gateway: 10.180.2.44 (higher administrative distance for failover).
The goal is to use BFD on the primary static route (via 10.180.4.136) for fast detection.

Configuration steps:

Step 1: Enable BFD on the Interface (Both FortiGates).
On FortiGate A and FortiGate B:

config system interface
    edit "port1"
        set bfd enable
        # Optional: Tune timers (desired min tx, required min rx, detect multiplier)
        set bfd-desired-min-tx 250
        set bfd-required-min-rx 250
        set bfd-detect-mult 3
    next
end

Step 2: Configure BFD Neighbor (Recommended on the peer or both sides).
To ensure proper session establishment, configure the neighbor explicitly.

config router bfd
    edit "10.180.4.136"
        set interface "port1"
    next
end

Step 3: Configure Static Routes with BFD (On FortiGate A):

config router static
    edit 1 # Primary route
        set dst 1.1.1.1 255.255.255.255
        set gateway 10.180.4.136
        set device "port1"
        set bfd enable
    next
    edit 2 # Backup route (higher distance for failover)
        set dst 1.1.1.1 255.255.255.255
        set gateway 10.180.2.44
        set device "port1"
        set distance 20
    next
end

Verification commands:

get router info bfd neighbor

get router info bfd neighbor

get router info bfd neighbor detail

get router info routing-table all

Troubleshooting:

Capture BFD packets (UDP ports 3784 control, 3785 echo if used):

diagnose sniffer packet any "port 3784" 4

Enable BFD debug processes:

diagnose debug application bfdd -1

diagnose debug enable

Configuration of BFD on the default static route when the outgoing interface is part of the SD-WAN zone is not possible.

BFD on static routes in FortiOS (including the latest v7.6.x) is designed for routes with a fixed next-hop.

BFD probes the specific gateway IP over the specified device interface. If the session goes down, the route is withdrawn from the routing table, triggering failover to a backup route.

In contrast, a default route (0.0.0.0/0) whose outgoing interface is an SD-WAN zone, no device or single gateway is specified. The actual egress interface and next-hop are chosen dynamically by SD-WAN rules/members/priorities.

Instead, use SD-WAN Performance SLAs (or link health monitors). They provide equivalent fast-failure detection on the individual SD-WAN members and automatically remove unhealthy members from selection.

Related article:

Technical Tip: Bidirectional Forwarding Detection (BFD) with BGP