PAN-OS Routing Redistribution Guide

Introduction

Welcome to this guide on routing redistribution within Palo Alto Networks PAN-OS, specifically tailored for candidates preparing for the PCNSE certification. Routing redistribution is a fundamental networking concept that allows different routing domains, using potentially different protocols, to exchange routing information.

PAN-OS firewalls, acting as central points in the network, often need to facilitate this exchange.

Core Concepts: What is Routing Redistribution?

Routing redistribution is the process of taking routes learned via one routing source (like OSPF, BGP, static routes, or directly connected interfaces) and advertising them into a different routing protocol domain running on the same router (or virtual router in PAN-OS).

Imagine a scenario where a company acquires another, each using different routing protocols (e.g., OSPF and EIGRP, although EIGRP isn't natively supported on PAN-OS).

In PAN-OS, redistribution is controlled centrally through Redistribution Profiles within a virtual router configuration.

     
      PCNSE Exam Note:
     
     Remember that redistribution profiles are the
     
      only
     
     way to exchange routing information between different protocols or sources within a PAN-OS virtual router.  Understanding their role is fundamental.

Core Concepts: Administrative Distance & Metrics

When a router learns about the same destination prefix from multiple routing sources, it needs a way to decide which route is more trustworthy or preferred. This is where Administrative Distance (AD) comes in.

PAN-OS uses specific default AD values:

Connected: 0
Static: 10
eBGP: 20
OSPF Intra-Area / Inter-Area: 110
RIP: 120
iBGP: 200
OSPF External: 110 (Note: While often 110 in PAN-OS, be aware other vendors might differentiate external OSPF AD).

     
      PCNSE Exam Note:
     
     Know the default AD values for common protocols in PAN-OS, especially Static, eBGP, OSPF, and iBGP. Be aware that these can differ from other vendors (e.g., Arista's default eBGP AD is 200, unlike PAN-OS or Cisco's 20).

While AD determines the trustworthiness *between* different routing sources, Metric is used *within* a single dynamic routing protocol to determine the best path among multiple paths learned via that *same* protocol.

When redistributing routes from one protocol (Source Protocol) into another (Destination Protocol), the metric from the Source Protocol is usually lost because the Destination Protocol doesn't understand it.

     
      Gotcha!
     
     Failing to set an appropriate seed metric when redistributing can prevent routes from being accepted or propagated correctly in the destination protocol domain. PAN-OS allows setting this metric directly in the redistribution profile.

Core Concepts: Redistribution Profiles

Redistribution Profiles are the cornerstone of route redistribution in PAN-OS.

Key elements of a Redistribution Profile include:

Name: A unique identifier for the profile.
Priority: A numerical value (1-255) determining the order of evaluation when multiple profiles exist. Lower numbers have higher priority (are evaluated first).
Action: Either Redist (to redistribute matching routes) or No Redist (to explicitly prevent redistribution of matching routes).
Filter (Type): Specifies the source of the routes to consider for redistribution (e.g., Static, Connected, OSPF, BGP, RIP).
Filter (General / OSPF / BGP): Allows for more granular filtering based on criteria like destination prefixes, interfaces, next hops, OSPF area/path type, or BGP community/AS path attributes.
New Metric: Assigns a specific metric value to the routes as they are redistributed into the target protocol.
Set OSPF Path Type: (For OSPF) Specifies whether redistributed routes should be advertised as External Type 1 (E1) or External Type 2 (E2).
Set BGP Attributes: (For BGP) Allows modification of attributes like Origin, Local Preference, MED, Community, etc., for routes redistributed into BGP.

     
      PCNSE Exam Note:
     
     You must understand each component of a Redistribution Profile, especially Priority, Action, Filter Type, and Metric/Attribute settings. Questions often involve troubleshooting why routes aren't redistributed, and the profile configuration is usually the key.

Once created, a Redistribution Profile must be applied under the specific protocol's configuration where you want the routes *exported* or *redistributed into*. For example:

To redistribute static routes into OSPF, apply the profile under OSPF > Export Rules.
To redistribute OSPF routes into BGP, apply the profile under BGP > Redist Rules.
To redistribute BGP routes into OSPF, apply the profile under OSPF > Export Rules.

Core Concepts: Filtering and Priority

Redistribution Profiles offer powerful filtering capabilities to precisely control which routes are shared. You can filter based on:

Source Protocol/Type: The fundamental filter (Static, Connected, OSPF, BGP, etc.).
Destination Prefix: Match specific network addresses/masks.
Interface: Match routes learned via or exiting a specific interface.
Next Hop: Match routes using a particular next-hop address.
OSPF Specific Filters: Area ID, Path Type (Intra-Area, Inter-Area, External-1, External-2), Tag.
BGP Specific Filters: Community, Extended Community, AS Path.

The Priority field is critical when multiple Redistribution Profiles might potentially match the same route. PAN-OS evaluates profiles in ascending order of priority (lower number = higher priority = evaluated first).

This allows for sophisticated include/exclude logic. For example:

Create a profile with Priority 10 , Action No Redist , filtering a specific sensitive prefix (e.g., 10.10.10.0/24) from being redistributed from OSPF into BGP.
Create a second profile with Priority 100 , Action Redist , filtering all OSPF routes (Source Type: OSPF).

In this case, the sensitive prefix 10.10.10.0/24 will match the first, higher-priority profile and will *not* be redistributed. All other OSPF routes will fall through to the second profile and *will* be redistributed.

     
      PCNSE Exam Note:
     
     Understand the "first match" logic based on priority. Lower numerical priority value wins. Specific "No Redist" rules should generally have a lower priority number (higher precedence) than broader "Redist" rules to effectively block certain routes.

     
      Gotcha!
     
     If you only have general "Redist" profiles, you might inadvertently advertise routes you didn't intend to share. Use "No Redist" profiles with higher priority (lower number) to explicitly block routes.

Flowchart illustrating Redistribution Profile priority and action processing.

Core Concepts: Default Route Handling

Redistributing a default route (0.0.0.0/0) often requires special attention. In both OSPF and BGP configurations within the virtual router, there's a specific checkbox labeled "Allow Redistribute Default Route".

To successfully redistribute a default route into OSPF or BGP:

The default route must exist in the firewall's routing table (either learned dynamically or configured as a static route).
A Redistribution Profile must be configured that matches the default route (either by source type 'static' if it's a static default, or via a specific destination filter for 0.0.0.0/0).
This Redistribution Profile must be applied to the relevant protocol's export/redistribution rules (e.g., OSPF Export Rules, BGP Redist Rules).
Crucially, the "Allow Redistribute Default Route" checkbox must be enabled within the OSPF or BGP configuration section where the profile is applied.

     
      PCNSE Exam Note:
     
     Simply matching the default route in a redistribution profile is NOT enough. You MUST also check the "Allow Redistribute Default Route" box in the protocol's main configuration section (OSPF > Export Rules tab or BGP > Redist Rules tab). Forgetting this checkbox is a common reason default route redistribution fails.

     
      Gotcha!
     
     If the firewall doesn't actually *have* a default route in its RIB (e.g., it hasn't learned one via DHCP or BGP, and none is statically configured), it cannot redistribute one unless you explicitly define 0.0.0.0/0 in the Redistribution Profile filter.  The "Allow Redistribute Default Route" checkbox only permits redistribution if a route exists or is defined in the profile.

Configuration: General Steps

Configuring route redistribution in PAN-OS generally follows these steps, regardless of the specific protocols involved:

Identify Need: Determine which routes (from which source: static, connected, OSPF, BGP) need to be advertised into which destination protocol.
Navigate to Virtual Router: Go to Network > Virtual Routers and select the virtual router where redistribution is required.
Create Redistribution Profile(s):
- Go to the Redistribution Profiles tab within the virtual router configuration.
- Click Add to create a new profile.
- Give it a descriptive Name .
- Set the Priority (lower number = higher precedence).
- Choose the Action ( Redist or No Redist ).
- Select the Source Type under the Filter tab (e.g., 'static', 'connected', 'ospf', 'bgp').
- Optionally, add more specific filters (Destination, Interface, Next Hop, protocol-specific attributes).
- Define the New Metric appropriate for the destination protocol.
- Configure any necessary protocol-specific options (e.g., OSPF Path Type, BGP attributes).
- Click OK to save the profile.
Apply Profile to Destination Protocol:
- Navigate to the configuration section of the protocol you are redistributing *into* (e.g., OSPF or BGP within the virtual router).
- Find the relevant section for applying redistribution/export rules (e.g., OSPF > Export Rules tab, BGP > Redist Rules tab).
- Click Add .
- Select the Redistribution Profile you created.
- If redistributing a default route, ensure the "Allow Redistribute Default Route" checkbox is enabled in this section.
- Click OK .
Commit Changes: Click Commit in the top-right corner of the Web UI to apply the configuration changes.

     
      PCNSE Exam Note:
     
     Be able to walk through these steps mentally or on the GUI. Exam questions might present a scenario and ask you to identify the missing or incorrect configuration step needed for redistribution.

Configuration Example: Redistributing Static Routes into OSPF

This is a common requirement, often used to advertise specific internal networks or a default route into the OSPF domain.

Steps:

Ensure Static Route Exists: Verify the static route you want to redistribute is configured under Network > Virtual Routers > [Your VR] > Static Routes .
Create Redistribution Profile:
- Go to Redistribution Profiles and click Add .
- Name: e.g., Redist_Static_to_OSPF
- Priority: e.g., 10 (adjust as needed).
- Action: Redist .
- Filter Tab: Source Type: Select static .
- Filter Tab (Optional): Add the specific static route prefix(es) under Destination if you don't want to redistribute *all* static routes.
- Metric: Set an appropriate OSPF metric (e.g., 20 ).
- Set OSPF Path Type: Choose Ext 1 or Ext 2 (Default is typically Ext 2).
- Click OK .
Apply Profile to OSPF:
- Go to OSPF configuration within the same virtual router.
- Navigate to the Export Rules tab.
- If redistributing a default route (0.0.0.0/0), check the "Allow Redistribute Default Route" box.
- Click Add .
- Select the Redist_Static_to_OSPF profile created earlier.
- Click OK .
Commit Changes.

     
      PCNSE Exam Note:
     
     Questions frequently test the redistribution of static routes (especially default routes) into OSPF. Ensure you know where to create the profile (Source Type: static) and where to apply it (OSPF > Export Rules), including the critical "Allow Redistribute Default Route" checkbox.

Configuration Example: Redistributing BGP Routes into OSPF

This scenario involves taking routes learned via BGP (typically from external peers like ISPs or other ASNs) and making them known within your internal OSPF domain.

Steps:

Ensure BGP Routes Exist: Verify that the firewall is successfully peering with its BGP neighbors and receiving the desired routes. Check under Network > Virtual Routers > [Your VR] > More Runtime Stats > BGP > RIB In .
Create Redistribution Profile:
- Go to Redistribution Profiles and click Add .
- Name: e.g., Redist_BGP_to_OSPF
- Priority: e.g., 20 (adjust relative to other profiles).
- Action: Redist .
- Filter Tab: Source Type: Select bgp .
- Filter Tab (Optional): Add specific filters if needed (e.g., match specific prefixes, AS paths, or communities learned via BGP).
- Metric: Set an appropriate OSPF metric (e.g., 50 ).
- Set OSPF Path Type: Choose Ext 1 or Ext 2 .
- Click OK .
Apply Profile to OSPF:
- Go to OSPF configuration.
- Navigate to the Export Rules tab.
- If redistributing a default route learned via BGP, check the "Allow Redistribute Default Route" box.
- Click Add .
- Select the Redist_BGP_to_OSPF profile.
- Click OK .
Commit Changes.

     
      Gotcha!
     
     Redistributing a large number of specific BGP routes into OSPF can potentially flood the OSPF domain and increase its complexity. Consider summarizing routes within BGP before redistribution, or carefully filter only the necessary prefixes.

     
      PCNSE Exam Note:
     
     Focus on the source type ('bgp') in the profile and applying it under OSPF Export Rules.  Understand the implications of metric and path type (E1/E2) selection.

Configuration Example: Redistributing OSPF Routes into BGP

This involves advertising routes learned via OSPF (typically internal networks) into the BGP domain, often to advertise them to external peers or across different parts of a large BGP-based network.

Steps:

Ensure OSPF Routes Exist: Verify the desired OSPF routes are present in the firewall's routing table ( show routing protocol ospf route or via Web UI Runtime Stats).
Create Redistribution Profile:
- Go to Redistribution Profiles and click Add .
- Name: e.g., Redist_OSPF_to_BGP
- Priority: e.g., 30 .
- Action: Redist .
- Filter Tab: Source Type: Select ospf (for IPv4) or ospfv3 (for IPv6).
- Filter Tab (Optional): Filter based on OSPF Area, Path Type, Tag, or specific destination prefixes.
- Metric: Set a BGP metric (MED - Multi-Exit Discriminator), if desired (e.g., 100 ).
- Set BGP Attributes (Optional): Modify attributes like Origin (often set to 'incomplete' for redistributed routes), Local Preference, or add Communities.
- Click OK .
Apply Profile to BGP:
- Go to BGP configuration.
- Navigate to the Redist Rules tab.
- If redistributing a default route learned via OSPF (less common, but possible), check the "Allow Redistribute Default Route" box.
- Click Add .
- Select the Redist_OSPF_to_BGP profile.
- Choose the Address Family Identifier (typically 'ipv4' or 'ipv6').
- Optionally set a metric here as well (overrides profile if set).
- Ensure 'Enable' is checked for the rule.
- Click OK .
Commit Changes.

     
      PCNSE Exam Note:
     
     Key points are the source type ('ospf'/'ospfv3') in the profile and applying it under BGP > Redist Rules. Understand that BGP attributes (like Origin, MED, Community) can be manipulated during redistribution via the profile.

     
      Gotcha!
     
     By default, routes redistributed into BGP often get an 'Incomplete' Origin attribute. While often acceptable, be aware of this as it might affect BGP path selection elsewhere if other paths have 'IGP' or 'EGP' origins. You can explicitly set the Origin attribute in the redistribution profile if needed.

Configuration Example: Redistributing Connected Routes into OSPF

Sometimes you need to advertise the subnets configured directly on the firewall's interfaces (connected routes) into your OSPF domain, especially if those interfaces aren't participating directly in OSPF.

Steps:

Identify Connected Interfaces: Determine which directly connected interface subnets need to be advertised. These are visible in the routing table with a 'C' flag ( show routing route ).
Create Redistribution Profile:
- Go to Redistribution Profiles and click Add .
- Name: e.g., Redist_Connected_to_OSPF
- Priority: e.g., 15 .
- Action: Redist .
- Filter Tab: Source Type: Select connect .
- Filter Tab (Optional): Add specific interface names or destination prefixes if you only want to redistribute specific connected routes.
- Metric: Set an appropriate OSPF metric (e.g., 10 ).
- Set OSPF Path Type: Choose Ext 1 or Ext 2 .
- Click OK .
Apply Profile to OSPF:
- Go to OSPF configuration.
- Navigate to the Export Rules tab.
- Click Add .
- Select the Redist_Connected_to_OSPF profile.
- Click OK .
Commit Changes.

     
      PCNSE Exam Note:
     
     This is another common scenario. Remember the source type is 'connect' and it's applied via OSPF Export Rules.

Configuration Note: Advanced Routing Engine (PAN-OS 10.0+)

Starting with PAN-OS 10.0, Palo Alto Networks introduced an optional "Advanced Routing Engine".

Key differences relevant to redistribution:

Logical Routers: Routing protocols and interfaces are configured under Logical Routers, not Virtual Routers.
Profiles and Filters: While profiles are still used extensively, the filtering mechanisms are enhanced with standard constructs like prefix lists, AS path lists, community lists, and route maps.
Route Maps: Route maps provide more complex conditional logic for manipulating routes during redistribution (e.g., setting attributes based on specific matches).
UI Changes: The Web UI structure for advanced routing configuration differs from the traditional virtual router setup.

     
      PCNSE Exam Note:
     
     While the PCNSE objectives may still primarily focus on the traditional Virtual Router configuration, be aware of the existence and basic concepts of the Advanced Routing Engine, especially the use of Logical Routers and industry-standard filters like route maps and prefix lists.  The fundamental principles of redistribution (AD, metrics, profiles) remain the same, but the implementation details differ.

Configuration within the Advanced Routing Engine involves defining routing profiles (like BGP redistribution profiles, OSPF redistribution profiles) and filter profiles (prefix lists, route maps, etc.) and then applying them within the protocol configuration under the Logical Router.

PCNSE Focus: Key Exam Points

For the PCNSE exam, focus on these critical aspects of PAN-OS redistribution:

Redistribution Profiles are Central: Understand that all redistribution logic flows through these profiles. Know their components: Priority, Action, Filters (Source Type, Destination, etc.), Metric/Attributes.
Priority Matters: Lower number = higher priority = first match wins. Understand how to use `No Redist` with higher priority to exclude specific routes.
Application Point: Know where to apply the profile: OSPF Export Rules for redistributing *into* OSPF, BGP Redist Rules for redistributing *into* BGP.
Default Route Checkbox: Remember the "Allow Redistribute Default Route" checkbox within the OSPF/BGP configuration sections is mandatory for default route redistribution, in addition to the profile itself.
Source Types: Be familiar with the common source types: `static`, `connected`, `ospf`, `bgp`, `rip`.
Metric/Path Type/Attributes: Understand that metrics need to be set for the receiving protocol and that attributes (OSPF path type, BGP attributes) can be modified.
Administrative Distance: Know the PAN-OS default AD values and how they influence route selection when routes are learned via multiple sources.
Verification: Be familiar with basic CLI commands to verify routing tables and redistribution. (`show routing route`, `show routing protocol ospf|bgp ...`)
Troubleshooting Logic: If redistribution isn't working, systematically check:
- Does the source route exist in the RIB?
- Is the Redistribution Profile configured correctly (Action, Filter, Metric)?
- Is the profile applied to the correct protocol's export/redist rules?
- Is the Priority correct relative to other profiles?
- For default routes, is the "Allow Redistribute Default Route" box checked?
- Are there any upstream/downstream filters blocking the advertisement?

     
      PCNSE Exam Note:
     
     Troubleshooting scenarios are common. Be prepared to analyze a configuration and identify the misconfiguration preventing successful redistribution, often related to profile filters, priority, application point, or the default route checkbox.

PCNSE Focus: Common Pitfalls

Be aware of potential issues when implementing route redistribution:

Routing Loops: Redistributing routes in multiple directions between protocols without careful filtering can create routing loops. This happens because the loop prevention mechanisms inherent in one protocol might be lost when routes are translated into another. For example, redistributing OSPF routes into BGP at one point, and BGP routes back into OSPF at another point, requires careful metric/AD manipulation and filtering to prevent routes learned from one protocol being preferred back via the other protocol.
Suboptimal Routing: Incorrect metric settings during redistribution can lead to traffic taking inefficient paths. Setting an artificially low metric for a redistributed route might make it seem more preferable than a native, potentially better path within the destination protocol.
Inconsistent Information: If redistribution is configured inconsistently across multiple border routers, different parts of the network might have conflicting views of the topology.
Forgetting the Metric: Failing to set a seed metric for redistributed routes can cause them to be ignored or treated as unreachable by the receiving protocol.
Missing Default Route Checkbox: As mentioned, forgetting to enable "Allow Redistribute Default Route" will prevent default route advertisement even with a correct profile.
Incorrect Profile Priority: Placing a general "Redist" rule with a higher priority (lower number) than a specific "No Redist" rule will cause the "No Redist" rule to never be evaluated for routes matching the general rule.
Filtering Too Broadly or Narrowly: Overly broad filters can leak unintended routes, while overly narrow filters might block necessary routes. Precision in filter definition is key.

     
      CRITICAL:
     
     Routing loops are the most dangerous pitfall of redistribution. Always carefully plan and test redistribution policies, especially in scenarios involving mutual redistribution (Protocol A into B, and Protocol B into A). Use filtering and metric/AD manipulation strategically.

PCNSE Focus: Verification Commands (CLI)

Verifying redistribution involves checking routing tables on the firewall itself and, critically, on downstream neighbors.

Common PAN-OS CLI commands:

show routing route : Displays the main routing table (RIB). Look for routes learned via different protocols and check their AD and metric. Redistributed routes should appear here with the AD of the protocol they were redistributed *into*.
show routing fib : Displays the Forwarding Information Base, the actual table used for packet forwarding. Useful to confirm the active route being used.
show routing protocol ospf route : Shows routes learned specifically via OSPF.
show routing protocol ospf lsdb : Displays the OSPF Link-State Database. Look for External LSAs (Type 5 or Type 7) which often represent redistributed routes.
- show routing protocol ospf lsdb type extern | match
show routing protocol ospf neighbor : Check OSPF adjacency state. Needs to be Full (or 2-Way for DR/BDR election) for routes to exchange.
show routing protocol bgp peer : Check BGP peer status (should be 'Established').
show routing protocol bgp rib-in : Shows routes received from BGP peers before local policies/filtering.
show routing protocol bgp rib-out : Shows routes advertised *to* BGP peers after local policies/redistribution. This is key for verifying what you are sending out via BGP redistribution.
- show routing protocol bgp rib-out | match
show routing redistribution : Provides information about the configured redistribution profiles and potentially statistics (depending on version/context).
test routing redistribution profile <profile_name> route <prefix> : (Potentially available, command syntax may vary) Simulates how a specific prefix would be handled by a given redistribution profile.

     # Example: Check if default route is advertised via OSPF Type-5 LSA
            > show routing protocol ospf lsdb type extern | match 0.0.0.0/0
            LSID AdvRouter Seq# Checksum Age Options LinkState RefCnt Flags
            0.0.0.0/0 10.1.1.1 0x80000001 0xcefe 29 [External] 1 1 0x22 O5

            # Example: Check if a specific prefix is being advertised to BGP peers
            > show routing protocol bgp rib-out | match 192.168.1.0/24
            *> 192.168.1.0/24 10.0.0.1 peer-group-1 100 0 65001 i (Metric 100)
    

     
      PCNSE Exam Note:
     
     Be comfortable interpreting the output of `show routing route`, `show routing protocol bgp rib-out`, and `show routing protocol ospf lsdb`. You might be shown command output and asked to diagnose a redistribution problem.  Knowing where to look for received vs. advertised routes is crucial.

Remember to also check the routing table on the neighboring router that *should* be receiving the redistributed routes. This is the ultimate confirmation that redistribution is working end-to-end.

PCNSE Focus: Conceptual Diagrams

Visualizing the flow helps solidify understanding.

Diagram 1: Basic Redistribution Flow (Static to OSPF)

Sequence of events for redistributing a static route into OSPF.

Diagram 2: Redistribution Profile Logic Flowchart

Simplified flowchart of how a route is processed for redistribution.

Diagram 3: Potential Redistribution Loop Scenario

High-level illustration of how mutual redistribution can lead to loops if not managed carefully.

Redistribution Quiz (PCNSE Focus)

Test your knowledge of PAN-OS route redistribution concepts.

1. What is the primary mechanism used in PAN-OS to control the exchange of routes between different routing protocols or sources within a virtual router?

Route Maps Access Lists Redistribution Profiles Policy-Based Forwarding Rules

2. What is the default Administrative Distance (AD) for a static route in PAN-OS?

1 10 20 110

3. When configuring multiple Redistribution Profiles, which profile is evaluated first?

The profile with the lowest Priority number. The profile with the highest Priority number. The profile configured most recently. The profile with the action "Redist".

4. An administrator wants to redistribute a static default route (0.0.0.0/0) into OSPF. They have created a Redistribution Profile filtering static routes and applied it under OSPF Export Rules. However, the default route is not appearing on the OSPF neighbor. What crucial configuration step is likely missing?

Setting the OSPF Path Type to Ext 1 in the profile. Adding a metric of 0 in the Redistribution Profile. The Redistribution Profile priority must be set to 1. The "Allow Redistribute Default Route" checkbox is not enabled under OSPF configuration.

5. Which Filter Source Type would you select in a Redistribution Profile to advertise routes from interfaces directly configured with IP addresses on the firewall?

connect static local interface

6. What is the purpose of setting a 'New Metric' within a Redistribution Profile?

To change the Administrative Distance of the redistributed route. To assign a starting metric value understood by the destination routing protocol. To filter routes based on their original metric. To prioritize the Redistribution Profile itself.

7. To prevent a specific prefix (e.g., 172.16.10.0/24) learned via BGP from being redistributed into OSPF, while allowing other BGP routes, what is the best practice using Redistribution Profiles?

Create one profile with Action 'Redist', filtering Source Type 'bgp', and manually remove the prefix later. Create one profile with Action 'Redist', filtering Source Type 'bgp', and set the metric for 172.16.10.0/24 to maximum. Create a profile with lower priority number (e.g., 10), Action 'No Redist', filtering 172.16.10.0/24, and another profile with higher priority number (e.g., 100), Action 'Redist', filtering Source Type 'bgp'. Create one profile with Action 'No Redist', filtering Source Type 'bgp'.

8. Where in the PAN-OS configuration hierarchy are Redistribution Profiles defined?

Device > Setup > Services Network > Interfaces Policies > Policy Based Forwarding Network > Virtual Routers > [VR Name] > Redistribution Profiles

9. What default Administrative Distance does PAN-OS assign to routes learned via eBGP?

20 90 170 200

10. Which CLI command is most useful for verifying the routes that the firewall is *advertising* to its BGP peers after redistribution policies have been applied?

show routing route show routing protocol bgp rib-out show routing protocol bgp rib-in show routing fib

11. When redistributing OSPF routes into BGP, what is the default BGP Origin attribute typically assigned to these routes?

IGP EGP Unknown Incomplete

12. A firewall learns the route 192.168.1.0/24 via OSPF (AD 110) and also has a static route configured for 192.168.1.0/24 (AD 10). Which route will be installed in the firewall's main routing table (RIB)?

The static route because it has a lower Administrative Distance. The OSPF route because dynamic routes are preferred over static. Both routes will be installed, and the firewall will load balance. Neither route will be installed until redistribution is configured.

13. In which section of the OSPF configuration within a virtual router are Redistribution Profiles applied to export routes *into* OSPF?

Areas Tab Import Rules Tab Export Rules Tab Auth Profiles Tab

14. What is a potential risk associated with mutual redistribution (e.g., OSPF into BGP and BGP into OSPF) if not carefully managed with filtering and metric/AD settings?

Increased CPU utilization only. Routing loops. Automatic route summarization. Failure of the firewall HA pair.

15. The "Set OSPF Path Type" option in a Redistribution Profile allows you to classify redistributed routes entering OSPF as either External Type 1 (E1) or External Type 2 (E2). What is the main difference in how OSPF calculates the cost for these types?

E1 cost includes the redistribution seed metric plus the internal OSPF cost to the ASBR; E2 cost only considers the seed metric. E2 cost includes the redistribution seed metric plus the internal OSPF cost to the ASBR; E1 cost only considers the seed metric. E1 routes have a higher Administrative Distance than E2 routes. E2 routes are only allowed in NSSA areas.

16. An administrator has configured redistribution but suspects an issue with the profile's filter. What components can be used to filter routes within a standard PAN-OS Redistribution Profile?

Source IP Address and Destination Port User-ID and Application Source Type (protocol), Destination Prefix, Interface, Next Hop Security Zone and Service Object

17. What does the action 'No Redist' signify in a Redistribution Profile?

Redistribute the route but assign it the highest possible metric. Redistribute the route but remove all BGP attributes. Pause redistribution for the matched routes temporarily. Explicitly prevent routes matching the profile's filters from being redistributed.

18. If a PAN-OS firewall learns the same route via iBGP (AD 200) and OSPF Inter-Area (AD 110), which route will it prefer?

The iBGP route. The OSPF route. It depends on the metric value. It depends on the BGP Local Preference.

19. Which PAN-OS feature, introduced in version 10.0, offers an alternative routing architecture using Logical Routers and industry-standard constructs like route maps and prefix lists?

Advanced Routing Engine Policy-Based Forwarding v2 SD-WAN Hub Routing GlobalProtect Enhanced Routing

20. A firewall needs to advertise its connected interface subnet 10.1.1.0/24 into BGP. An administrator creates a Redistribution Profile named "CONN-TO-BGP" with Source Type 'connect' and Action 'Redist'. Where must this profile be applied?

Under Network > Interfaces > Ethernet > [Interface Name] > Advanced Under Policies > NAT Under Network > Virtual Routers > [VR Name] > OSPF > Export Rules Under Network > Virtual Routers > [VR Name] > BGP > Redist Rules