Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
shahrukh_khan
Staff
Staff

Created on ‎12-21-2025 08:03 AM

Article Id 424019

Technical Tip: Bidirectional Forwarding Detection (BFD) with static routes

Description This article describes the use case of Bidirectional Forwarding Detection (BFD) with a static route.
Scope FortiGate.
Solution

Bidirectional Forwarding Detection (BFD) is designed to detect failures in the bidirectional path between two forwarding engines quickly. In FortiGate devices running FortiOS, BFD can be integrated with static routes to provide faster failover compared to traditional methods.

 

When BFD is enabled on a static route, FortiGate monitors the reachability of the next-hop gateway using BFD control packets. If the BFD session goes down (indicating a path failure), the associated static route is withdrawn from the routing table. When the session recovers, the route is reinstated. This enables rapid convergence in redundant setups using multiple static routes with different priorities or administrative distances.

 

Topology:

Consider two FortiGate devices, with redundant paths simulated through backup gateways:

  • FortiGate A (primary device with static routes):
    port1 IP: 10.180.6.237/20.
  • FortiGate B (next-hop peer):
    port1 IP: 10.180.4.136/20.

 

Destination host/network: 1.1.1.1/32 (behind FortiGate B or reachable via gateways).
Backup gateway: 10.180.2.44 (higher administrative distance for failover).
The goal is to use BFD on the primary static route (via 10.180.4.136) for fast detection.

 

Configuration Steps:

Step 1: Enable BFD on the Interface (Both FortiGates).
On FortiGate A and FortiGate B:

 

config system interface
    edit "port1"
        set bfd enable
        # Optional: Tune timers (desired min tx, required min rx, detect multiplier)
        set bfd-desired-min-tx 250
        set bfd-required-min-rx 250
        set bfd-detect-mult 3
    next
end

 

Step 2: Configure BFD Neighbor (Recommended on the Peer or Both Sides).
To ensure proper session establishment, configure the neighbor explicitly.

 

config router bfd
    edit "10.180.4.136"
        set interface "port1"
    next
end

 

Step 3: Configure Static Routes with BFD (On FortiGate A):

 

config router static
    edit 1 # Primary route
        set dst 1.1.1.1 255.255.255.255
        set gateway 10.180.4.136
        set device "port1"
        set bfd enable
    next
    edit 2 # Backup route (higher distance for failover)
        set dst 1.1.1.1 255.255.255.255
        set gateway 10.180.2.44
        set device "port1"
        set distance 20
    next
end

 

Verification commands:

 

get router info bfd neighbor

get router info bfd neighbor

get router info bfd neighbor detail

get router info routing-table all

 

Troubleshooting:

Capture BFD packets (UDP ports 3784 control, 3785 echo if used):

 

diagnose sniffer packet any "port 3784" 4

 

Enable BFD debug:

 

diagnose debug application bfdd -1
diagnose debug enable
44
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.