Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
aionescu
Staff
Staff

Created on ‎06-06-2018 09:37 AM Edited on ‎09-25-2024 02:05 AM By Moderator

Article Id 194570

Technical Tip: Bi-directional Forwarding Detection failure detection timer

Description

 
This article describes how to configure Bi-directional Forwarding Detection (BFD).
 
Scope
 
FortiGate.


Solution


The BFD timer variables are only available when BFD is enabled. They can be configured at global or interface level:

  • Preferred minimum transmit interval for BFD packets: bfd-desired-min-tx. (Enter an integer value from <1> to <100000> (default = <250>)).
  • Required minimum receive interval for BFD packets: bfd-required-min-rx. The FortiGate unit will not transmit BFD packets at a slower rate than this, or in other words at a higher value than this. (Enter an integer value from <1> to <100000> (default = <250>)).
  • The number of times not detected before setting BFD status down: bfd-detect-mult. (Enter an integer value from <1> to <50> (default = <3>)).

Example configured on two Fortigates running firmware version 5.4:

Fortigate_A.

 

config sys settings
    set bfd-desired-min-tx 1000
    set bfd-required-min-rx 50000
    set bfd-detect-mult 2

 

Fortigate_B.

 

config sys settings
    set bfd-desired-min-tx 10000
    set bfd-required-min-rx 50000
    set bfd-detect-mult 2

 

Both bfd-desired-min-tx values satisfies bfd-required-min-rx of 50000ms.

Enable debugging:

 

diagnose ip router bfd all en
diagnose ip router bfd level info
diagnose debug enable

 

As of FortiOS 6.0, debugging is enabled by running the commands:

 

diagnose debug app bfdd -1
diagnose debug enable

 

Example of debug output:

 

2018-01-30 11:14:19 id=20301 logdesc="Routing log" msg="NSM: Session[10.151.1.44:10.151.1.75,port2,28]: Sending BFD packet"
2018-01-30 11:14:38 id=20301 logdesc="Routing log" msg="NSM: Session[10.151.1.44:10.151.1.75,port2,28]: Inactivity timer expired"
2018-01-30 11:14:38 id=20301 logdesc="Routing log" msg="NSM: Session[10.151.1.44:10.151.1.75,port2,28]: state UP -> DOWN local_diag=0x01"
2018-01-30 11:14:38 id=20301 logdesc="Routing log" msg="NSM: BFD session[10.151.1.44:10.151.1.75,port2,28]: state UP -> DOWN local_diag=0x01"
2018-01-30 11:14:38 id=20301 logdesc="Routing log" msg="NSM: Session[10.151.1.44:10.151.1.75,port2,28]: bfd_session_send_packet_now"
2018-01-30 11:14:38 id=20301 logdesc="Routing log" msg="NSM: BFD: Sending notification to protocol-id 4 client-type 8"
2018-01-30 11:14:38 id=20301 logdesc="Routing log" msg="NSM: BFD register message"
2018-01-30 11:14:38 id=20301 logdesc="Routing log" msg="NSM:  Source Address: 10.151.1.44"
2018-01-30 11:14:38 id=20301 logdesc="Routing log" msg="NSM:  Destination Address: 10.151.1.75"
2018-01-30 11:14:38 id=20301 logdesc="Routing log" msg="NSM:  Interface index: 4"
2018-01-30 11:14:38 id=20301 logdesc="Routing log" msg="NSM:  Flags: Delete"
2018-01-30 11:14:38 id=20301 logdesc="Routing log" msg="NSM:  Client: OSPF"

 

Sample of FortiGate router log:


To sniff BFD packets:

 

diagnose sniffer packet any "udp port 3784" 6 0 a

 

Sample BFD packets seen with packet decoder:

Labels:
21688
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.