FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 190484


This article describes the Bidirectional Forwarding Detection implementation and examples.

A few words about BFD:

- Mechanism detecting a one way device failure.
- Used for faster convergence of routing protocols.
- Independent interface media, routing, or data protocol.
- Draft RFCs with multiple encapsulation types.
- FortiGate uses unicast packet, UDP port 3784 (not routable)
- BFD vs "Fortinet Dead Gateway Detection" (DGD)


- Simple mechanism, no specific protocol needed on the “ping server”

- Based on ping, hence a L3 routable packet that can detect problems on a far end network


  • Fast convergence (<1s)
  • Devices must be on the same subnet
  • Interoperable support of BFD required between vendors
  • Designed  for OSPF and BGP


FortiGate BFD/OSPF operation described in the following scenarios

If BFD is configured but not OSPF, no BFD packets are sent.


When OSPF is operational, we see BFD neighbours together with OSPF neighbours.


BFD failure due to remote router (neighbor) failure.

Starting from the previous state (BFD neighbor is up) the BFD failure detection in this case is immediately followed by a withdrawal of the failed OSPF neighbour, triggering route reconvergence.


BFD packets seen from the CLI sniffer

FGT # diagnose sniffer packet any "udp port  3784" 6

0.514603 port7 in -> udp 24
0x0000   0000 0000 0001 0009 0f12 b95e 0800 4500        ...........^..E.
0x0010   0034 508b 0000 ff11 d371 c0a8 0b35 c0a8        .4P......q...5..
0x0020   0b36 c009 0ec8 0020 ee8f 20c0 0318 0000        .6..............
0x0030   000a 0000 000d 0000 c350 0000 c350 0000        .........P...P..
0x0040   0000                                           ..
0.530202 port7 out -> udp 24
0x0000   0000 0000 0000 0009 0f12 bcfe 0800 4500        ..............E.
0x0010   0034 c08f 0000 ff11 636d c0a8 0b36 c0a8
0x0020   0b35 c00c 0ec8 0020 ee8c 20c0 0318 0000        .5..............
0x0030   000d 0000 000a 0000 c350 0000 c350 0000        .........P...P..
0x0040   0000                                           ..    

BFD packets seen with a packet decoder


FortiGate or VDOM operating in NAT Mode and running OSPF or BGP.


Step 1 : BFD must be configured globally and per interface (per neighbor if used for BGP)

Default = 50ms ; threshold = 3

FGT # config system settings

FGT(settings) # set bfd enable


FGT # config system interface

FGT(interface) # edit port7

FGT(port7) # set bfd enable


Step 2 : configuration at protocol level

Configuration example at OSPF level


config router ospf
set bfd enable    (default = disabled)
       config ospf-interface
          edit dmz
             set bfd enable
Configuration example at BGP level

config router bgp
set as 65250
   config neighbor
         set bfd enable
            set remote-as 65254

Verification with CLI commands
TestFGT_5 # get router info bgp neighbors
BGP neighbor is, remote AS 65254, local AS 65250, external link
TestFGT_5 # get router info bfd neighbor

OurAddr         NeighAddr       LD/RD   State   Int   4/1     UP      port7

- state : returns the current state of BFD (UP).
- LD/RD : BFD Local Discriminator / Remote Discriminator used in this BFD session .
- From v7.2.0 onward we can configure the multi-hop BFD.
Refer below doc for more information:


Related Articles

Technical Note : How to implement BGP route summary (aggregation) on a FortiGate