FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff
Article Id 190484

Description


This article describes the Bidirectional Forwarding Detection implementation and examples.

A few words about BFD:

- Mechanism detecting a one way device failure.
- Used for faster convergence of routing protocols.
- Independent interface media, routing, or data protocol.
- Draft RFCs with multiple encapsulation types.
- FortiGate uses unicast packet, UDP port 3784 (not routable)
- BFD vs "Fortinet Dead Gateway Detection" (DGD)

DGD

- Simple mechanism, no specific protocol needed on the “ping server”

- Based on ping, hence a L3 routable packet that can detect problems on a far end network

BFD

  • Fast convergence (<1s)
  • Devices must be on the same subnet
  • Interoperable support of BFD required between vendors
  • Designed  for OSPF and BGP

 


FortiGate BFD/OSPF operation described in the following scenarios

If BFD is configured but not OSPF, no BFD packets are sent.

rmetzger_FD30260_bfd_ospf_oper_1_1.JPG


When OSPF is operational, we see BFD neighbours together with OSPF neighbours.

FD30260_bfd_ospf_oper_1_2.JPG


BFD failure due to remote router (neighbor) failure.
 

Starting from the previous state (BFD neighbor is up) the BFD failure detection in this case is immediately followed by a withdrawal of the failed OSPF neighbour, triggering route reconvergence.

rmetzger_FD30260_bfd_ospf_oper_2.JPG


BFD packets seen from the CLI sniffer

 
FGT # diagnose sniffer packet any "udp port  3784" 6

0.514603 port7 in 192.168.11.53.49161 -> 192.168.11.54.3784: udp 24
0x0000   0000 0000 0001 0009 0f12 b95e 0800 4500        ...........^..E.
0x0010   0034 508b 0000 ff11 d371 c0a8 0b35 c0a8        .4P......q...5..
0x0020   0b36 c009 0ec8 0020 ee8f 20c0 0318 0000        .6..............
0x0030   000a 0000 000d 0000 c350 0000 c350 0000        .........P...P..
0x0040   0000                                           ..
0.530202 port7 out 192.168.11.54.49164 -> 192.168.11.53.3784: udp 24
0x0000   0000 0000 0000 0009 0f12 bcfe 0800 4500        ..............E.
0x0010   0034 c08f 0000 ff11 636d c0a8 0b36 c0a8        .4......cm...6..
0x0020   0b35 c00c 0ec8 0020 ee8c 20c0 0318 0000        .5..............
0x0030   000d 0000 000a 0000 c350 0000 c350 0000        .........P...P..
0x0040   0000                                           ..    
                                    

BFD packets seen with a packet decoder

rmetzger_FD30260_bfd_ospf_oper_5.JPG


Scope
FortiGate or VDOM operating in NAT Mode and running OSPF or BGP.

Solution

 
Step 1 : BFD must be configured globally and per interface (per neighbor if used for BGP)

Default = 50ms ; threshold = 3

FGT # config system settings

FGT(settings) # set bfd enable

 

FGT # config system interface

FGT(interface) # edit port7

FGT(port7) # set bfd enable

 

Step 2 : configuration at protocol level

Configuration example at OSPF level

 

config router ospf
   
set bfd enable    (default = disabled)
       config ospf-interface
          edit dmz
             set bfd enable
Configuration example at BGP level

config router bgp
set as 65250
   config neighbor
      edit 192.168.3.254
         set bfd enable
            set remote-as 65254



Verification with CLI commands
TestFGT_5 # get router info bgp neighbors
BGP neighbor is 192.168.3.254, remote AS 65254, local AS 65250, external link
 
TestFGT_5 # get router info bfd neighbor

OurAddr         NeighAddr       LD/RD   State   Int

192.168.3.250   192.168.3.254   4/1     UP      port7

 
Note:
- state : returns the current state of BFD (UP).
- LD/RD : BFD Local Discriminator / Remote Discriminator used in this BFD session .
- From v7.2.0 onward we can configure the multi-hop BFD.
 
Refer below doc for more information:

 

Related Articles

Technical Note : How to implement BGP route summary (aggregation) on a FortiGate