Post

OSPF on Firewalls

Posted
By Sena Perdiana 2 min read

Here’s the planned topology for OSPF configuration across multiple firewalls

x


On the Core Switch side, we enable OSPF on all required interfaces

x


Here we can see the OSPF configuration is up and running

x

show ip ospf neighbor

x

show ip route ospf


Fortigate

On fortigate side, enable OSPF on Network » OSPF. Here we give it Router ID, Area 0, and networks to join the OSPF neighborship

x


Run this command to show OSPF neighborship on CLI

x

get router info ospf neighbor


We can also see the advertised routes that we receive from OSPF on Routing Monitor

x

x

get router info routing-table ospf


Palo Alto

On Palo side, we configure OSPF on the Virtual Router, here we enable OSPF, give it Router ID, Area 0, and interfaces to be part of neighborship

x


Now on the runtime stats we can see the OSPF process is up and running

x

x

show routing protocol ospf neighbor


We can also see all the advertised routes we receive from OSPF

x

x

show routing route


Check Point

On Check Point side, we configure OSPF through GAIA, here we create an Area 0 (Backbone), give it Router ID, and add the interface members

x


On Monitoring tab, we can see the OSPF process is now running

x

x

show ospf neighbors


On routing monitors we can also see the received routes

x

x

show route ospf


Cisco FTD

On FTD managed by FMC, we can enable OSPF on the Routing tab, here we enable the OSPF process as Internal Router, then add the Area 0 with the networks that we wish to be advertised

x


Then on Interface, add the interface members

x


To verify OSPF process, run the cli commands

x

show ospf neighbor
show ospf database

x

show route ospf


Cisco ASA

Below is the OSPF configuration on the ASA side

1
2
3
4

router ospf 1
 router-id 172.16.51.2
 network 10.51.0.0 255.255.255.0 area 0
 network 172.16.51.0 255.255.255.0 area 0


Run the commands to verify OSPF process

x

show ospf neighbor

x

show route ospf



Redistribute

The configuration above enables OSPF process on all interface members to advertise their networks, even though not all interface is pointing to another OSPF neighbor. Here we will clean up the configuration by only enabling OSPF process on the needed interface, and redistribute the connected network so it can be advertised.

After configured, the advertised network will look like this

x

  • Type 1 (E1) = external cost + internal OSPF cost.
  • Type 2 (E2) = external cost only (default).


Fortigate

Here we deleted the inside network

x


Then we enable the Redistribute Connected option

x


Palo Alto

On the Area 0, we remove the internal interface

x


And on the Export Rules, we add the network that we’d like to redistribute

x


Check Point

Here we remove the internal interface

x


Then on Route Redistribution, add a new redistribution from the same interface

x


Cisco FTD

Here we need to change the OSPF role from Internal Router to ASBR to enable route redistribution, then delete the network from the OSPF process

x


We also remove the inside interface

x


Then on Redistribution, we add one with connected route type

x


Cisco ASA

Here’s the configuration on ASA side

1
2
3
4

router ospf 1
 router-id 172.16.51.2
 network 172.16.51.0 255.255.255.0 area 0
 redistribute connected subnets
Networking, OSPF
Check Point ASA Fortinet Palo Alto FTD
This post is licensed under CC BY 4.0 by the author.