In this case, configure the same source and destination to pass BFD packets through the firewall.

BFD Echo packets(:3784) are designed to use the same source and destination IP. However, IPv4 packets can pass through the FortiGate, but IPv6 packets cannot.

IPv4:

2025-07-02 17:45:29.240053 out_vrf in 172.2.1.1.51324 -> 172.2.1.1.3784: udp 24
2025-07-02 17:45:29.240054 out_vrf out 172.2.1.1.51324 -> 172.2.1.1.3784: udp 24
2025-07-02 17:45:29.240055 Untrust out 172.2.1.1.51324 -> 172.2.1.1.3784: udp 24
2025-07-02 17:45:29.240056 port20 out 172.2.1.1.51324 -> 172.2.1.1.3784: udp 24

IPv6:

2025-07-02 17:45:35.513583 out_vrf in 172:2:1::1.52324 -> 172:2:1::1.3784: udp 24 [class 0xe0]
2025-07-02 17:45:35.700683 out_vrf in 172:2:1::1.53324 -> 172:2:1::1.3784: udp 24 [class 0xe0]
2025-07-02 17:45:37.616523 out_vrf in 172:2:1::1.52324 -> 172:2:1::1.3784: udp 24 [class 0xe0]

id=65308 trace_id=2 func=resolve_ip6_tuple_fast line=5109 msg="vd-Traffic:0 received a packet(proto=17, 172:2:1::1:52324->172:2:1::1:3784) from out_vrf. "
id=65308 trace_id=2 func=ip6_session_core_in line=5600 msg="same src/dst address 172:2:1::1, drop"
id=65308 trace_id=3 func=resolve_ip6_tuple_fast line=5109 msg="vd-Traffic:0 received a packet(proto=17, 172:2:1::1:52324->172:2:1::1:3784) from out_vrf. "
id=65308 trace_id=3 func=ip6_session_core_in line=5600 msg="same src/dst address 172:2:1::1, drop"

When block-land-attack is disabled (the default option), IPv4 will allow packets with 'saddr==daddr' to pass, but IPv6 does not check block-land-attack flag and drops the packets.

This issue will be changed in v7.6.4 and v8.0.0 to check for the block-land-attack flag on IPv6 as well.