Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
akileshc
Staff
Staff

Created on ‎10-04-2022 12:39 AM Edited on ‎10-14-2025 12:17 AM By Moderator

Article Id 225575

Technical Tip: Facilitating the fastest BGP route failovers

Description This article describes how to fine-tune BGP configurations to facilitate the fastest BGP route failovers on FortiGate.
Scope FortiGate.
Solution

BGP is perhaps the most widely used routing protocol on the Internet, and is commonly used within organizational networks as well. The default settings are intended for resource conservation in large (Internet) routing environments and can lead to significant failover times. For more aggressive failover, these values can be configured.

 

Configure the following timers to the lower values as needed to enable the fastest route failovers:


scan-time, advertisement-interval, keep-alive-timer, connect-timer and holdtime-timer.

 

CLI Syntax:

 

config router bgp

    set scan-time 'integer' <- Background scanner interval(sec), 0 to disable it (integer= Minimum value: 5. Maximum value: 60, Default:60).

end

 

config router bgp
    config neighbor/neighbor-group

        edit 'ip'/'name'

            set advertisement-interval 'integer' <- Minimum interval(sec) between sending updates (integer= Minimum value: 1 Maximum value: 600, default:30).

            set keep-alive-timer 'integer' <- Keep alive timer interval (sec) (integer= Minimum value: 0 Maximum value: 65535) (default: <Global BGP value>).

            set holdtime-timer 'integer' <- Number of seconds to mark peer as dead. It should generally be three times the keep-alive-timer (integer= Minimum value: 3 Maximum value: 65535, or special:<0>) (default: <Global BGP value>).

            set connect-timer 'integer' <- Number of seconds after initiating a TCP connection attempt to wait in the CONNECT state before dropping the existing TCP connection and trying again (integer= Minimum value: 1 Maximum value: 65535) (default: 120s).

end


Example:


config router bgp
    set keepalive-timer 5
    set holdtime-timer 15
    set scan-time 59
        config neighbor
             edit "10.10.20.1"
                 set advertisement-interval 2
                 set link-down-failover enable
                 set connect-timer 2
             next
        end

end

 

In the case of IPsec, there are 2 more values that can be modified under DPD (dead peer detection):

  1. Retry count (default: 3).
  2. Retry interval (default: 20 Seconds).

 

Example :

 

config vpn ipsec phase1-interface

    edit "IPsec_tunnel"

        set dpd-retrycount 2

        set dpd-retryinterval 10

    next

end

 

Reducing the DPD retry count and retry interval settings can accelerate the detection of dead remote gateways. For example, by setting the retry count to 2 attempts and the retry interval to 10 seconds, the time FortiGate takes to detect a dead gateway is reduced to 30 seconds: a 10-second idle time plus 20 seconds from two unanswered DPD messages.

 

DPD is an IKEv1 protocol. If IKEv2 is in use, the number of IKE INFORMATIONAL messages sent will be different from the dpd-retry count, but the resulting failure detection time will be the same, see Technical Tip: IKEv2 retransmission and DPD.

 

Since they use different Security Associations, tunnel data traffic (including BGP traffic) can be affected while control traffic is unaffected. In this scenario, the tunnel will not show as down even though data traffic cannot pass. For this reason, it is strongly recommended to configure redundancy for critical traffic, such as redundant VPN links. For example, see Technical Tip: Route-based IPsec site to site redundant VPN failover using BGP.

 

Very often in scenarios with SD-WAN and ADVPN, BGP is configured on top of the IPsec tunnel. By default, FortiGate does not bring a peering down if the outgoing/binding interface is down. Instead, FortiGate actually waits for the hold time to expire.

 

FortiOS provides a mechanism to bring down the peering immediately if the binding interface is down. For example, when the IPsec tunnel is down. Using this approach is worth considering if the IPsec tunnel flaps often, as it will mean BGP will very often go down and then up again.

Another way is to adjust the 'hold time-timer'. The default value is 180 seconds:

 

config router bgp

    set holdtime-timer 180 <- Default value is 180 seconds.

        config neighbor

            edit 192.168.4.1

                set link-down-failover enable <- Disabled by default.

            next

        end

 end

 

For sub-second failover, consider implementing BFD first; it needs to be enabled under config system settings:

 

config system settings

    set bfd enable

end

 

And finally, it has to be enabled per-peer:

 

config router bgp

    set as 65001
        config neighbor

            edit 172.16.1.1

                set bfd enable

                set remote-as 65002

            next

end

 

BFD Timers may be set for the whole FortiGate globally:

 

config system settings
    set bfd {enable | disable}
    set bfd-desired-min-tx <ms>
    set bfd-required-min-rx <ms>
    set bfd-detect-mult <multiplier>

end

 

Alternatively, they can be set per interface:

 

config system interface
    edit <interface-name>
        set bfd {global | enable | disable}
        set bfd-desired-min-tx <ms>
        set bfd-required-min-rx <ms>
        set bfd-detect-mult <multiplier>
    next
end
20331
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.