Palo Alto Networks OSPF Scenario Quiz

Scenario: A Palo Alto firewall acts as an Autonomous System Boundary Router (ASBR) connecting an OSPF Area 1 to an external network learned via BGP. You need to advertise the BGP routes into OSPF Area 1.

1. Which configuration step is required on the firewall to inject these BGP routes into the OSPF domain?

• Configure an OSPF Export Rule matching the BGP routes.
• Configure a Redistribution Profile under the Virtual Router, select OSPF, and specify BGP as the source to redistribute.
• Define an Area Range for Area 1 that covers the BGP prefixes.
• Configure the OSPF interface connecting to Area 1 as passive.

Scenario: Following the previous scenario, the BGP routes are now being redistributed into OSPF Area 1. An administrator checks the OSPF routes on another router within Area 1.

2. By default, what OSPF metric type will these redistributed routes likely have, and what does this type signify for path cost calculation?

• Type E1, meaning the total cost is the redistribution cost plus the internal OSPF cost to the ASBR.
• Type N1, meaning the cost reflects only the BGP MED value.
• Type E2, meaning the cost primarily reflects the redistribution cost and remains constant throughout the OSPF domain (internal path cost to ASBR is only used as a tie-breaker).
• Type IA, meaning the cost is calculated based on the AS Path length of the original BGP route.

Scenario: A remote office is connected via a Palo Alto firewall running OSPF in Area 10. To minimize the routing table size and complexity within Area 10, the administrator wants to prevent all external routes (Type 5 LSAs) from entering but still allow routes from other OSPF areas (e.g., Area 0, Area 20) to be learned.

3. Which OSPF Area Type should be configured for Area 10 on the ABR connecting it to Area 0?

• Configure Area 10 as a Totally Stubby Area.
• Configure Area 10 as a Standard (Normal) Area.
• Configure Area 10 as a Stub Area.
• Configure Area 10 as a Not-So-Stubby Area (NSSA).

Scenario: An administrator decides to be even more aggressive in minimizing the LSDB size within Area 10 (from the previous scenario). They want to block *both* external routes (Type 5 LSAs) AND summary routes from other OSPF areas (Type 3 LSAs), relying entirely on a default route injected by the ABR for all outside connectivity.

4. Which OSPF Area Type achieves this goal?

• Stub Area
• Not-So-Stubby Area (NSSA)
• Standard Area with route filtering
• Totally Stubby Area

Scenario: A specific OSPF area (Area 51) contains a Palo Alto firewall acting as an ASBR, redistributing routes from a local, non-OSPF routing domain (e.g., static routes for a partner network). However, the design requires that external routes from the main OSPF backbone (Area 0) should NOT be flooded into Area 51.

5. Which OSPF Area Type should Area 51 be configured as to allow local redistribution (creating Type 7 LSAs) while blocking incoming Type 5 LSAs?

• Standard Area
• Totally Stubby Area
• Not-So-Stubby Area (NSSA)
• Stub Area

Scenario: A Type 7 LSA, generated by an ASBR within an NSSA (Area 51), reaches the NSSA ABR (the router connecting Area 51 to Area 0).

6. What action does the NSSA ABR take regarding this Type 7 LSA when advertising the external route information into Area 0?

• It blocks the LSA entirely to maintain the NSSA boundary.
• It converts the Type 7 LSA into a Type 5 AS-External LSA before flooding it into Area 0.
• It floods the Type 7 LSA unchanged into Area 0.
• It converts the Type 7 LSA into a Type 3 Summary LSA.

Scenario: An ABR connects OSPF Area 2 (containing networks 192.168.10.0/24, 192.168.11.0/24, 192.168.12.0/24) to Area 0. To reduce the number of Type 3 LSAs flooded into Area 0, the administrator wants to advertise a single summary route.

7. Where should the administrator configure the summary route 192.168.8.0/21 on the Palo Alto firewall acting as the ABR?

• In the Redistribution Profile applied to Area 0.
• Under Virtual Router > OSPF > Areas > Area 0 > Range.
• Under Virtual Router > OSPF > Areas > Area 2 > Range.
• Under Virtual Router > OSPF > Export Rules.

Scenario: A Palo Alto firewall acts as an ASBR redistributing a large number of specific routes from BGP into OSPF Area 0. The administrator wants to advertise a single summary route for these external prefixes *into* the OSPF domain, rather than injecting all the specific external routes.

8. Which OSPF configuration area is used on the ASBR firewall to define a summary for redistributed external routes?

• Virtual Router > OSPF > Areas > Area 0 > Range
• Virtual Router > Redistribution Profile > Filter
• Virtual Router > OSPF > Advanced > Summary Address
• Virtual Router > OSPF > Import Rules

Scenario: A Palo Alto firewall has a static route configured for 172.16.50.0/24 pointing to a partner network. It also learns a route for the same prefix 172.16.50.0/24 via OSPF from an internal router.

9. Assuming default Administrative Distances (AD) on the firewall, which route will be installed in the routing table and used to forward traffic to 172.16.50.0/24?

• The OSPF route, because dynamic routing is preferred.
• The Static route, because its default AD (10) is lower than OSPF's default AD (110).
• Both routes will be installed, and traffic will be load-balanced.
• Whichever route was learned first.

Scenario: An OSPF router receives two Type 5 external LSAs for the same destination prefix. One route has metric type E1 with a total calculated cost of 50. The other has metric type E2 with a cost (external metric) of 40.

10. Based solely on OSPF external route preference rules, which path will the router generally prefer?

• The E2 route, because its stated external cost (40) is lower than the total E1 cost (50).
• The E1 route, because E1 routes are always preferred over E2 routes, regardless of the cost values.
• The router will load balance between the two paths.
• Whichever route has the lower ASBR Router ID.

Scenario: An OSPF network design has Area 3 physically connected only to Area 2. Area 2 is connected to Area 1, and Area 1 is connected to the backbone, Area 0. Area 3 needs to learn routes from Area 0.

11. What OSPF feature must be configured, and where, to allow Area 3 to logically connect to the backbone?

• A Virtual Link configured on the ABRs connecting Area 1 and Area 0.
• Configure Area 2 as a transit area and set up a Virtual Link between the ABR connecting Area 2 to Area 3 and the ABR connecting Area 2 to Area 1.
• Redistribute Area 1 routes into Area 2, and Area 2 routes into Area 3.
• Configure Area 3 as an NSSA area.

(This scenario is complex, testing deep understanding of OSPF topology rules)

Scenario: A firewall is redistributing static routes into OSPF. The administrator only wants to redistribute the specific static route 10.200.1.0/24 and block all other static routes from entering OSPF.

12. How can this selective redistribution be achieved within the Redistribution Profile configuration?

• By setting the default metric type to E1 only for that prefix.
• By using an OSPF Export Rule attached to the profile.
• By configuring a Filter (using IP prefixes or route tags) within the Redistribution Profile to explicitly allow only 10.200.1.0/24.
• By setting the Area type to Stub for the area receiving the redistribution.

Scenario: An engineer is troubleshooting why OSPF routes are not appearing in the Palo Alto firewall's main routing table (RIB). They have verified that OSPF neighbor adjacency is in the 'Full' state using show routing protocol ospf neighbor .

13. Which command should the engineer use next to verify if the expected Link State Advertisements (LSAs) are present in the firewall's OSPF database?

• show routing fib
• show routing route type ospf
• show routing protocol ospf policy
• show routing protocol ospf database

Scenario: Two Palo Alto firewalls are connected via an Ethernet link and configured for OSPF in Area 0. One firewall consistently becomes the Designated Router (DR) for the segment. The administrator wants the *other* firewall to be preferred as the DR.

14. Which OSPF interface parameter should be increased on the firewall that is desired to become the DR?

• Metric (Cost)
• Hello Interval
• Priority
• Retransmit Interval

Scenario: An OSPF neighbor adjacency between two firewalls is stuck in the EXSTART or EXCHANGE state. Both routers can ping each other, Hellos are being exchanged, and MTU matches.

15. What is a likely cause for the adjacency failing during the Database Descriptor (DBD) packet exchange process?

• Mismatched OSPF Area ID.
• Mismatched OSPF process ID.
• Duplicate OSPF Router ID within the area.
• A passive interface configuration on one side.

Scenario: A Palo Alto firewall learns the route 10.1.1.0/24 via OSPF (default AD 110) and the same route 10.1.1.0/24 via eBGP (default AD 20).

16. Which route will be preferred and installed into the firewall's routing table?

• The OSPF route, because it likely has a lower metric.
• The eBGP route, because its Administrative Distance (20) is lower (more preferred) than OSPF's (110).
• It depends on which protocol was configured first.
• The firewall will use Policy Based Forwarding to decide.

Scenario: An administrator configures OSPF redistribution of connected interfaces but forgets to specify a metric or metric type in the Redistribution Profile.

17. What is the likely outcome when the firewall attempts to redistribute these connected routes into OSPF?

• The routes will be redistributed with a default metric of 1 and type E1.
• The routes will be redistributed using the interface's actual OSPF cost and type IA.
• The redistribution will fail, and the connected routes will not be advertised into OSPF because a metric is mandatory.
• The routes will be redistributed with a default metric of 20 and type E2.

Scenario: A firewall needs to advertise its loopback interface (used for management or iBGP peering) into OSPF Area 0, but no OSPF neighbors will ever exist on the loopback interface itself.

18. What is the standard method to advertise the loopback's network into OSPF without attempting to form adjacencies on it?

• Configure the loopback interface with OSPF network type 'Broadcast'.
• Redistribute the 'connected' route for the loopback interface into OSPF.
• Add the loopback interface to Area 0 and configure it as 'Passive' in the OSPF Area interface settings.
• Create a static OSPF route pointing to the loopback interface.

Scenario: A Palo Alto firewall in Area 0 learns a route to 10.5.5.0/24 via OSPF with a cost of 30. It also has a static route configured for 10.5.5.0/24 with the default Administrative Distance and a metric of 5.

19. Which route takes precedence in the firewall's routing table?

• The OSPF route because its cost (30) is higher than the static metric (5).
• The Static route because its Administrative Distance (default 10) is lower than OSPF's (110).
• The OSPF route because dynamic protocols are preferred over static routes.
• The route learned first will be installed.

Scenario: An administrator wants to prevent routes learned from Area 10 (a standard area) from being advertised into Area 20 (also a standard area). The firewall acts as an ABR connected to Area 0, Area 10, and Area 20.

20. How can the administrator filter these Type 3 LSAs from entering Area 20?

• Configure Area 20 as a Stub Area.
• Use an OSPF Export Rule applied to Area 20, filtering prefixes originating from Area 10.
• Configure an 'area range' for Area 10 with the 'not-advertise' option.
• Configure the interfaces connecting to Area 20 as passive.