FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article describes how to configure BFD for static routes on a FortiGate.
Solution In order to configure BFD for static routes, the first step is to setup BFD configuration. In this example, two FortiGates have been considered.
FortiGate 1
FortiGate 2
# config system interface edit "port1" set vdom "root" set ip 10.180.6.237 255.255.240.0 set allowaccess ping set bfd enable next end
# config router bfd config neighbor edit 10.180.4.136 set interface "port1" next end end
# config system interface edit "port1" set vdom "root" set ip 10.180.4.136 255.255.240.0 set allowaccess ping set bfd enable next end
# config router bfd config neighbor edit 10.180.6.237 set interface "port1" next end end
Consider a host behind FortiGate 2 which has an IP address of 1.1.1.1. FortiGate 1 has multiple paths to reach that host.
Two static routes have been configured on FortiGate 1, one via gateway 10.180.4.136 and the other via 10.180.2.44 with a higher distance 20 (lower distance is preferred).
# config router static edit 2 set dst 1.1.1.1 255.255.255.255 set gateway 10.180.4.136 via FGT-II set device "port1" set bfd enable next edit 3 set dst 1.1.1.1 255.255.255.255 set gateway 10.180.2.44 via another device set distance 20 set device "port1" next end
Once the above configuration has been applied, we can see BFD neighborship established between the two FortiGates.
# get router info bfd neighbor OurAddress NeighAddress State Interface LDesc/RDesc 10.180.6.237 10.180.4.136 UP port1 1/1
In the routing table, the route with lower distance is preferred.
# get router info routing-table all S 1.1.1.1/32 [10/0] via 10.180.4.136, port1 C 10.180.0.0/20 is directly connected, port1
If port1 on FortiGate 2 goes down or FortiGate 1 is unable to reach 10.180.4.136, the BFD neighborship will go down.
# get router info bfd neighbor OurAddress NeighAddress State Interface LDesc/RDesc 10.180.6.237 10.180.4.136 DOWN port1 1/1
As BFD neighborship is down, FortiGate is unable to reach 1.1.1.1/32 from route entry 2 (via gateway 10.180.4.136). The routing table is updated and route entry 3 (via gateway 10.180.2.44) is active in the routing table.
# get router info routing-table all S 1.1.1.1/32 [20/0] via 10.180.2.44, port1 C 10.180.0.0/20 is directly connected, port1
BFD removes a static route from the routing table if FortiGate can't reach the route's destination and returns the route to the routing table if the route's destination is restored.
BFD Troubleshooting commands.
# get router info bfd neighbor # get router info bfd requests # diagnose sniffer packet any "port 3784" 4 # diagnose debug app bfdd -1 # diagnose debug enable
