FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
aionescu
Staff
Staff
Article Id 194570
Description
This article describes how to configure Bi-directional Forwarding Detection (BFD).

Solution
The BFD timer variables are only available when BFD is enabled. They can be configured at global or interface level:
  -  Preferred minimum transmit interval for BFD packets: bfd-desired-min-tx.
  -  Required minimum receive interval for BFD packets:
bfd-required-min-rx. The FortiGate unit will not transmit BFD packets at a slower rate than this, or in other words at a higher value than this.
  -  Number of times not detected before setting BFD status down: bfd-detect-mult.

Example configured on two Fortigates running firmware version 5.4:
Fortigate_A.
# config sys settings
    set bfd-desired-min-tx 1000
    set bfd-required-min-rx 50000
    set bfd-detect-mult 2

Fortigate_B.
# config sys settings
    set bfd-desired-min-tx 10000
    set bfd-required-min-rx 50000
    set bfd-detect-mult 2

Both bfd-desired-min-tx values satisfies bfd-required-min-rx of 50000ms.

Enable debugging:
# diagnose ip router bfd all en
# diagnose ip router bfd level info
# diagnose debug enable
As of FortiOS 6.0, debugging is enabled by running the commands:
# diagnose debug app bfdd -1
# diagnose debug enable
Example of debug output:
2018-01-30 11:14:19 id=20301 logdesc="Routing log" msg="NSM: Session[10.151.1.44:10.151.1.75,port2,28]: Sending BFD packet"
2018-01-30 11:14:38 id=20301 logdesc="Routing log" msg="NSM: Session[10.151.1.44:10.151.1.75,port2,28]: Inactivity timer expired"
2018-01-30 11:14:38 id=20301 logdesc="Routing log" msg="NSM: Session[10.151.1.44:10.151.1.75,port2,28]: state UP -> DOWN local_diag=0x01"
2018-01-30 11:14:38 id=20301 logdesc="Routing log" msg="NSM: BFD session[10.151.1.44:10.151.1.75,port2,28]: state UP -> DOWN local_diag=0x01"
2018-01-30 11:14:38 id=20301 logdesc="Routing log" msg="NSM: Session[10.151.1.44:10.151.1.75,port2,28]: bfd_session_send_packet_now"
2018-01-30 11:14:38 id=20301 logdesc="Routing log" msg="NSM: BFD: Sending notification to protocol-id 4 client-type 8"
2018-01-30 11:14:38 id=20301 logdesc="Routing log" msg="NSM: BFD register message"
2018-01-30 11:14:38 id=20301 logdesc="Routing log" msg="NSM:  Source Address: 10.151.1.44"
2018-01-30 11:14:38 id=20301 logdesc="Routing log" msg="NSM:  Destination Address: 10.151.1.75"
2018-01-30 11:14:38 id=20301 logdesc="Routing log" msg="NSM:  Interface index: 4"
2018-01-30 11:14:38 id=20301 logdesc="Routing log" msg="NSM:  Flags: Delete"
2018-01-30 11:14:38 id=20301 logdesc="Routing log" msg="NSM:  Client: OSPF"

Sample of FGT router log:


To sniff BFD packets:
# diagnose sniffer packet any "udp port 3784" 6 0 a
Sample BFD packets seen with packet decoder:


Contributors