Palo Alto Networks OSPF & OSPFv3 Implementation Guide

1. OSPF Overview

Open Shortest Path First (OSPF) is a link-state routing protocol used for routing IP packets within a single routing domain. Palo Alto Networks firewalls support both OSPFv2 (for IPv4) and OSPFv3 (for IPv6).

2. Configuring OSPFv3

1. Navigate to Network > Virtual Routers and select your virtual router.
2. Go to the OSPFv3 tab and enable OSPFv3.
3. Set the Router ID (typically an IPv4 address, even for OSPFv3).
4. Configure Authentication Profiles using IPsec ESP or AH protocols, as OSPFv3 relies on IPsec for its own authentication mechanisms integrated into the IPv6 header.
5. Define Areas (e.g., Area 0 for backbone) and assign interfaces to those areas accordingly. Specify interface types (broadcast, point-to-point etc.) and costs.
6. Set up Export Rules under the OSPFv3 configuration to manage route redistribution from other protocols (like BGP, static) into OSPFv3.
7. Adjust Advanced Options like SPF calculation delay, LSA intervals, and reference bandwidth if needed.

For detailed steps, refer to the official documentation: Configure OSPFv3 - Palo Alto Networks

3. OSPF Area Types

• Normal Area (Standard/Backbone): No restrictions on LSA types (accepts Type 1, 2, 3, 4, 5). Area 0 is the mandatory backbone.
• Stub Area: Blocks Type 5 (AS-External) LSAs. An ABR injects a Type 3 default route. Cannot contain ASBRs.
• Totally Stubby Area (TSA): Blocks Type 5 (AS-External) AND Type 3 (Summary) LSAs. An ABR injects a Type 3 default route. Cannot contain ASBRs. (Cisco proprietary concept often implemented).
• Not-So-Stubby Area (NSSA): Blocks Type 5 LSAs from other areas but CAN contain an ASBR. External routes redistributed locally are advertised within the NSSA using Type 7 LSAs, which are translated to Type 5 by the NSSA ABR.
• Totally NSSA: An NSSA that also blocks Type 3 LSAs, relying on a default route for inter-area and external connectivity.

4. LSA Types

• Type 1 (Router LSA): Generated by each router; describes its links within an area. Flooded within the area.
• Type 2 (Network LSA): Generated by the DR on multi-access segments; lists routers on the segment. Flooded within the area.
• Type 3 (Summary LSA / Inter-Area Prefix LSA): Generated by ABRs; advertises prefixes from one area into another. Flooded into adjacent areas.
• Type 4 (ASBR Summary LSA): Generated by ABRs; advertises the location (Router ID) of an ASBR in another area. Flooded into areas needing to reach the ASBR.
• Type 5 (AS External LSA): Generated by ASBRs; advertises routes external to the OSPF domain (redistributed). Flooded throughout standard areas.
• Type 7 (NSSA External LSA): Generated by ASBRs within an NSSA; advertises external routes. Flooded only within the NSSA; translated to Type 5 by NSSA ABR.
• Type 8 (Link LSA): OSPFv3 specific; used for link-local addresses and options on a link. Link-local scope only.
• Type 9 (Intra-Area Prefix LSA): OSPFv3 specific; carries IPv6 prefix information within an area (replaces network info previously in Type 1/2). Flooded within the area.

5. Route Redistribution

To redistribute routes from other protocols (e.g., BGP, static, connected) into OSPFv3 on a Palo Alto firewall:

1. Navigate to Network > Virtual Routers and select your virtual router.
2. Go to Redistribution Profiles , click Add .
3. Give the profile a name. Set Priority (lower wins if multiple profiles match).
4. Under Redistribute , check the source protocol(s) (e.g., static , bgp ).
5. Optionally configure Filters to selectively redistribute specific routes (by prefix or tag).
6. Set the desired OSPF Metric (cost) for redistributed routes.
7. Set the OSPF Metric Type ( Ext 1 or Ext 2 - default is Ext 2).
8. Go back to the Virtual Router's OSPFv3 configuration.
9. Under Export Rules , click Add .
10. Select the Redistribution Profile you just created.

This structure links the profile (defining *what* and *how* to redistribute) to the OSPFv3 process via an Export Rule.

6. Troubleshooting Commands

Use the following CLI commands for troubleshooting OSPF and OSPFv3:

show routing protocol ospf neighbor        # OSPFv2 neighbors
show routing protocol ospf interface       # OSPFv2 interface status
show routing protocol ospf database        # OSPFv2 LSDB
show routing protocol ospf policy          # OSPFv2 policy/redistribution info
show routing route type ospf               # Routes learned via OSPFv2 in RIB

show routing protocol ospfv3 neighbor      # OSPFv3 neighbors
show routing protocol ospfv3 interface     # OSPFv3 interface status
show routing protocol ospfv3 database      # OSPFv3 LSDB
show routing protocol ospfv3 policy        # OSPFv3 policy/redistribution info
show routing route type ospfv3             # Routes learned via OSPFv3 in RIB
    

These commands provide insights into OSPF neighbor relationships, interface states, the Link-State Database (LSDB), applied policies, and the final routes installed in the Routing Information Base (RIB).

7. References

• Configure OSPFv3 - Palo Alto Networks
• OSPF Concepts - Palo Alto Networks
• Create OSPFv3 Routing Profiles - Palo Alto Networks (Note: Link seems related but title might be slightly off, refers more broadly to routing profiles)
• CLI Cheat Sheet: Networking - Palo Alto Networks
• Confirm that OSPF Connections are Established - Palo Alto Networks
• Introduction to OSPF Area Types - The Network DNA
• Introduction to OSPF Stub Areas - NetworkLessons.com
• OSPF LSA Types Explained - Firewall.cx