Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
shahrukh_khan
Staff
Staff

Created on ‎12-15-2025 01:39 AM Edited on ‎12-23-2025 10:12 AM By Community Manager

Article Id 423106

Technical Tip: Bidirectional Forwarding Detection (BFD) with BGP

Description This article describes the process of configuring Bidirectional Forwarding Detection (BFD) with BGP.
Scope

FortiOS.
Solution

Bidirectional Forwarding Detection (BFD) is a lightweight, low-overhead protocol that provides rapid detection of failures in the bidirectional path between two forwarding engines. On FortiGates, BFD integrates seamlessly with dynamic routing protocols like Border Gateway Protocol (BGP) to accelerate neighbor failure detection and routing convergence.

 

This integration is particularly valuable in:

  • High-availability setups with redundant links.
  • Multi-homed eBGP connections to ISPs.
  • Large-scale ADVPN or SD-WAN overlays using BGP.

 

Configuration Steps:

 

Enable BFD Globally (recommended):

 

config system settings
    set bfd enable
    set bfd-desired-min-tx 250 <----- ms (default).
    set bfd-required-min-rx 250 <----- ms.
    set bfd-detect-mult 3 <----- Detection time ≈ 750 ms.
end

 

Enable BFD on interfaces:

config system interface
    edit "port1"
        set bfd enable # Or 'global' to inherit
        set bfd-desired-min-tx 300
        set bfd-required-min-rx 300
        set bfd-detect-mult 3
    next
end

 

Single-Hop eBGP with BFD:

 

On FortiGate A:

 

config router bgp
    set as 65001
    set router-id 1.1.1.1
        config neighbor
            edit "10.1.1.2"
                set remote-as 65002
                set bfd enable
            next
                end


Advertise networks as needed:


config network
    edit 1
        set prefix 192.168.1.0 255.255.255.0
    next
end

 

Repeat symmetrically on FortiGate B.

 

Multihop eBGP with BFD:

 

Additional steps for non-direct peers:

 

On FortiGate A:

 

config system settings
    set bfd enable
end

 

config system interface
    edit "port1"
        set bfd enable
    next
end

 

config router bgp
    set as 65001
        set router-id 1.1.1.1
            config neighbor
                edit "172.16.201.2" <----- IPv4 multihop peer.
                    set remote-as 65002
                    set bfd enable
                    set ebgp-enforce-multihop enable
                    set soft-reconfiguration enable
                next
                    edit "2000:172:16:201::2" # IPv6
                        set remote-as 65002
                        set bfd enable
                        set ebgp-enforce-multihop enable
                        set soft-reconfiguration enable
                    next
                end
            end

 

Multihop templates (optional for custom timers/auth).


config router bfd
    config multihop-template
        edit 1
            set src 172.16.200.0 255.255.255.0
            set dst 172.16.201.0 255.255.255.0
        next
    end
end

 

Verification Commands:

  • BFD Sessions: get router info bfd neighbor (IPv4) / get router info6 bfd neighbor (IPv6)
  • BGP Summary: get router info bgp summary
  • BGP Neighbors: get router info bgp neighbors <ip>
  • Routes: get router info routing-table bgp

 

Troubleshooting:

Capture BFD packets (UDP ports 3784 control, 3785 echo if used):

 

diagnose sniffer packet any "port 3784" 4

 

Enable BFD debugging:

 

diagnose debug application bfdd -1
diagnose debug enable
362
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.