BFD
Understand Bidirectional Forwarding Detection (BFD), which recognizes a failure in
the bidirectional path between two routing peers.
| Where Can I Use This? | What Do I Need? |
|---|
- NGFW (Managed by PAN-OS or Panorama)
| |
The firewall supports
Bidirectional Forwarding Detection (BFD), (
RFC 5880), a protocol that recognizes a failure in the bidirectional path
between two routing peers. BFD failure detection is extremely fast, providing for a
faster failover than can be achieved by link monitoring or frequent dynamic routing
health checks, such as Hello packets or heartbeats. Mission-critical data centers and
networks that require high availability and extremely fast failover need the extremely
fast failure detection that BFD provides.
When you enable BFD, BFD establishes a session from one endpoint (the firewall) to its
BFD peer at the endpoint of a link using a three-way handshake. Control packets perform
the handshake and negotiate the parameters configured in the BFD profile, including the
minimum intervals at which the peers can send and receive control packets. BFD control
packets for both IPv4 and IPv6 are transmitted over UDP port 3784. BFD control packets
for multihop support are transmitted over UDP port 4784. BFD control packets transmitted
over either port are encapsulated in the UDP packets.
After the BFD session is established, the Palo Alto Networks implementation of BFD
operates in asynchronous mode, meaning both endpoints send each other control packets
(which function like Hello packets) at the negotiated interval. If a peer does not
receive a control packet within the detection time (calculated as the negotiated
transmit interval multiplied by a Detection Time Multiplier), the peer considers the
session down. (The firewall does not support demand mode, in which control packets are
sent only if necessary rather than periodically.)
- When you enable BFD for a static route and a BFD session between the
firewall and the BFD peer fails, the firewall removes the failed route from the RIB
and FIB tables and allows an alternate path with a lower priority to take over.
- When you enable BFD for a routing protocol, BFD notifies the routing
protocol to switch to an alternate path to the peer. Thus, the firewall and BFD peer
reconverge on a new path.
A BFD profile enables you to
Configure BFD settings and
apply them to one or more routing protocols or static routes on the firewall. If you
enable BFD without configuring a profile, the firewall uses its default BFD profile
(with all of the default settings). You can’t change the default BFD profile.
When an interface is running multiple protocols that use different BFD profiles, BFD uses
the profile having the lowest
Desired Minimum Tx Interval. See
BFD for Dynamic Routing
Protocols.
Active/passive HA peers synchronize BFD configurations and sessions; active/active HA
peers don’t.
BFD Model, Interface, and Client Support
The following firewall models don’t support BFD: PA-800 Series, PA-220, and VM-50
firewalls. The models that do support BFD support a maximum number of BFD sessions,
as listed in the
Product Selection tool.
BFD runs on physical Ethernet, Aggregated Ethernet (AE), VLAN, and tunnel interfaces
(site-to-site VPN and LSVPN), and on Layer 3 subinterfaces.
Supported BFD clients are:
Static routes (IPv4 and IPv6) consisting of a single hop
OSPFv2 and OSPFv3 (interface types include broadcast, point-to-point, and
point-to-multipoint)
BGP IPv4 and IPv6 (IBGP, EBGP) consisting of a single hop or multiple
hops
RIP (single hop)
Non-Supported RFC Components of BFD
BFD is standardized in
RFC 5880. PAN-OS does not support all components of RFC
5880; nonsupported components are:
Demand mode
Authentication
Sending or receiving Echo packets; however, the firewall will pass Echo
packets that arrive on a virtual wire or tap interface. (BFD Echo packets
have the same IP address for the source and destination.)
Poll sequences
Congestion control
BFD for LACP (micro-BFD with LAG interfaces)
