BFD Overview
When you enable BFD, BFD establishes a session from
one endpoint (the firewall) to its BFD peer at the endpoint of a
link using a three-way handshake. Control packets perform the handshake
and negotiate the parameters configured in the BFD profile, including the
minimum intervals at which the peers can send and receive control
packets. BFD control packets for both IPv4 and IPv6 are transmitted
over UDP port 3784. BFD control packets for multihop support are
transmitted over UDP port 4784. BFD control packets transmitted
over either port are encapsulated in the UDP packets.
After the BFD session is established, the Palo Alto Networks
implementation of BFD operates in asynchronous mode, meaning both
endpoints send each other control packets (which function like Hello
packets) at the negotiated interval. If a peer does not receive
a control packet within the detection time (calculated as the negotiated
transmit interval multiplied by a Detection Time Multiplier), the
peer considers the session down. (The firewall does not support
demand mode, in which control packets are sent only if necessary
rather than periodically.)
When you enable BFD for a static route and a BFD session between
the firewall and the BFD peer fails, the firewall removes the failed
route from the RIB and FIB tables and allows an alternate path with
a lower priority to take over. When you enable BFD for a routing
protocol, BFD notifies the routing protocol to switch to an alternate
path to the peer. Thus, the firewall and BFD peer reconverge on
a new path.
A BFD profile allows you to
Configure
BFD settings and apply them to one or more routing protocols
or static routes on the firewall. If you enable BFD without configuring
a profile, the firewall uses its default BFD profile (with all of
the default settings). You cannot change the default BFD profile.
When an interface is running multiple protocols that use different
BFD profiles, BFD uses the profile having the lowest
Desired
Minimum Tx Interval. See
BFD
for Dynamic Routing Protocols.
Active/passive HA peers synchronize BFD configurations and sessions;
active/active HA peers do not.