Palo Alto Networks BFD Implementation

Bidirectional Forwarding Detection (BFD) is a protocol designed to quickly detect failures in the path between two routing peers, enabling faster failover than traditional methods like routing protocol hellos or link monitoring. Palo Alto Networks firewalls support BFD for various scenarios.

Supported Protocols

In addition to BFD for static routes, Palo Alto Networks firewalls support BFD for the following dynamic routing protocols:

Border Gateway Protocol (BGP)
Open Shortest Path First (OSPFv2 and OSPFv3)
Routing Information Protocol (RIP)

BFD support allows for rapid failure detection, prompting the routing protocol to switch to an alternate path when a session failure occurs.

Multihop BFD (RFC 5883)

The Palo Alto Networks implementation of multihop BFD adheres to the encapsulation specified in RFC 5883 but does not support the authentication component of that standard.

Workaround for Authentication: For BGP, configure BFD within a VPN tunnel. The VPN tunnel itself can provide the necessary authentication, negating the need for BFD's native authentication mechanism.

BFD for OSPF

When BFD is enabled for OSPF, the session establishment depends on the OSPF interface type:

Broadcast Interfaces (OSPFv2/OSPFv3): OSPF establishes BFD sessions only with the Designated Router (DR) and Backup Designated Router (BDR).
Point-to-Point Interfaces: OSPF establishes a BFD session with the directly connected neighbor.
Point-to-Multipoint Interfaces: OSPF establishes a BFD session with each peer on the interface.

Note: The firewall explicitly does not support BFD on OSPF or OSPFv3 virtual links.

BFD Session Sharing

Routing protocols can utilize BFD sessions in two ways on an interface:

Independent Sessions: Each routing protocol (BGP, OSPF, RIP) can maintain its own separate BFD session.
Shared Sessions: Two or more protocols (BGP, OSPF, RIP, and static routes) can share a single BFD session under specific conditions. This occurs when BFD is enabled for multiple protocols on the same interface, and they share the same source and destination IP addresses.

When protocols share a BFD session:

Only one BFD profile is used: the one configured with the lowest Desired Minimum Tx Interval .
If the profiles share the same `Desired Minimum Tx Interval`, the profile associated with the first session established takes precedence. For instance, if a static route and OSPF share a session, the static route's BFD profile will be used because its session is created immediately upon commit, whereas OSPF waits for adjacency formation.

Benefit: Sharing BFD sessions enhances resource efficiency, reducing dataplane CPU overhead and traffic load on the interface. This allows the firewall to potentially support more BFD sessions elsewhere.

IPv4 and IPv6 configured on the same interface will always create different BFD sessions , even if they are configured to use the same BFD profile.

Interaction with HA Path Monitoring and BGP Graceful Restart

When deploying BFD for BGP alongside High Availability (HA) path monitoring, careful consideration is needed regarding BGP Graceful Restart.

Recommendation: Palo Alto Networks advises against implementing BGP Graceful Restart when using both BFD for BGP and HA path monitoring. In a failure scenario (peer interface down, path monitoring fails), BFD can detect the failure and trigger route removal faster than Graceful Restart can engage, potentially removing routes before the graceful period completes.

If implementing all three features (BFD for BGP, BGP Graceful Restart, and HA Path Monitoring) is necessary, configure BFD with larger timer values than the defaults for both Desired Minimum Tx Interval and Detection Time Multiplier . This allows more time for Graceful Restart mechanisms to function before BFD declares the session down.

Other Important Information

Configuration: BFD is configured via BFD Profiles found under `Network > Network Profiles > BFD Profile`. These profiles can then be applied globally or per-interface for static routes, BGP, OSPF, or RIP within the Virtual Router configuration.
Operation Mode: The Palo Alto Networks implementation uses asynchronous mode, where both endpoints periodically send BFD control packets. It does not support demand mode.
Default Timers: The default transmit/receive interval is 1000ms, and the default detection multiplier is 3, resulting in a ~3-second detection time. Timers can be adjusted, but overly aggressive timers (e.g., less than 100ms on PA-7000 series) risk causing session flaps.
HA Synchronization: BFD configurations and sessions are synchronized between Active/Passive HA peers, but not between Active/Active peers.
Model Support: Certain firewall models (like PA-800 series, PA-220, VM-50) do not support BFD. Support for PA-400 series was added in PAN-OS 11.0. Always check the Product Selection tool for specific model capabilities and maximum session counts.
RFC Compliance: PAN-OS BFD implementation aligns with RFC 5880 (BFD Base), RFC 5881 (BFD for IPv4 and IPv6 Single Hop), and the encapsulation part of RFC 5883 (BFD for Multihop Paths).
BFD and IPsec: AWS Site-to-Site VPN configurations do not support BFD over the IPsec tunnel with Palo Alto Firewalls; BFD should be disabled for these BGP peers.