Create BFD Profiles
Table of Contents
Expand all | Collapse all
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
Create BFD Profiles
Create a BFD profile to apply to static routes or a routing
protocol on the Advanced Routing Engine.
On an Advanced Routing Engine, you can use
Bidirectional Forwarding Detection (BFD) profiles to easily apply
BFD settings to a static route or routing protocol. You can use
the default profile (which is read-only) or create new BFD profiles.
Perform
the following before creating a BFD profile:
- Configure one or more static routes if you are applying BFD to a static route.
- Configure a routing protocol (BGP,OSPF,OSPFv3, orRIPv2) if you are applying BFD to a routing protocol. For example, you can apply a BFD profile when configuring general BGP settings.
The effectiveness of your
BFD implementation depends on various factors, such as traffic loads, network
conditions, how aggressive your BFD settings are, and how busy the
dataplane is.
- Select.NetworkRoutingRouting ProfilesBFD
- Adda BFD profile byName(maximum of 63 characters). The name is case-sensitive and must be unique on the firewall. Use only letters, numbers, hyphens, and underscores. No dot (.) or space is allowed.
- Select theModein which BFD operates:
- Active—BFD initiates sending control packets to peer (default). At least one of the BFD peers must be Active; both can be Active.
- Passive—BFD waits for peer to send control packets and responds as required.
- Enter theDesired Minimum Tx Interval (ms), the minimum interval, in milliseconds, at which you want the BFD protocol to send BFD control packets; you are thus negotiating the transmit interval with the peer. Range for PA-7000 Series, PA-5200 Series, and PA-5450 firewall is 50 to 10,000; range for PA-3200 Series is 100 to 10,000; range for VM-Series is 200 to 10,000. Default is 1,000.If you have multiple routing protocols that use different BFD profiles on the same interface, configure the BFD profiles with the sameDesired Minimum Tx Interval.On a PA-7000 Series firewall, set the Desired Minimum Tx Interval to 100 or greater; a value less than 100 is at risk of causing BFD flaps.
- Enter theRequired Minimum Rx Interval (ms). This is the minimum interval, in milliseconds, at which BFD can receive BFD control packets. Range for PA-7000 Series, PA-5200 Series, and PA-5450 firewall is 50 to 10,000; range for PA-3200 Series is 100 to 10,000; range for VM-Series is 200 to 10,000. Default is 1,000.On a PA-7000 Series firewall, set the Desired Minimum Rx Interval to 100 or greater; a value less than 100 is at risk of causing BFD flaps.
- Enter theDetection Time Multiplier. Range is 2 to 255, default is 3.The local system calculates the detection time as theDetection Time Multiplierreceived from the remote system multiplied by the agreed transmit interval of the remote system (the greater of theRequired Minimum Rx Intervaland the last receivedDesired Minimum Tx Interval). If BFD does not receive a BFD control packet from its peer before the detection time expires, a failure has occurred.When creating a BFD profile, take into consideration that the firewall is a session-based device typically at the edge of a network or data center and may have slower links than a dedicated router. Therefore, the firewall likely needs a longer interval and a higher multiplier than the fastest settings allowed. A detection time that is too short can cause false failure detections when the issue is really just traffic congestion.
- Enter theHold Time (ms), the delay, in milliseconds, after a link comes up before BFD transmits BFD control packets.Hold Timeapplies to BFDActivemode only. If BFD receives BFD control packets during the Hold Time, it ignores them. Range is 0 to 120,000; default is 0, which means no transmitHold Timeis used; BFD sends and receives BFD control packets immediately after the link is established.
- Enter theMinimum Rx TTL, the minimum Time-to-Live (number of hops) BFD will accept (receive) in a BFD control packet when BGP supports multihop BFD. Range is 1 to 254; there is no default.The firewall drops the packet if it receives a smaller TTL than its configuredMinimum Rx TTL. For example, if the peer is 5 hops away and the peer transmits a BFD packet with a TTL of 100 to the firewall, and if theMinimum Rx TTLfor the firewall is set to 96 or higher, the firewall drops the packet.
- ClickOK.