topic Re: Filtering networks between OSPF Areas in Firewall and Security Management

Filtering networks between OSPF Areas

Bruno_Petronio — Thu, 11 Feb 2021 18:08:44 GMT

Hello Mates 🙂

I'm testing an OSPF configuration in a CheckPoint Firewall cluster with 2 different routers.

I'm not able to avoid to announce all networks from Area0 (the ones directly connected in the Firewall but also the ones learned by OSPF in Backbone Area "0") to Area 1.

I attached a simple network diagram for better understanding.

My Configuration:

FW has only 1 instance (default);
Both Areas in FW are Normal Type;
FW has all interfaces except Transit 2 in Area 0 (Backbone);
FW has Transit 2 interface in Area 1;
Net20, Net 21 and Net 22 are in passive mode;
FW config is restricting Net 30 and Net31 from being advertised from Area 1 to Area 0;

My Goal:

Only advertise Net22 from Area 0 to Area 1 (Only see Net22 in Router_2 routing table from OSPF);

My failed attempts:

Restrict all networks except Net 22 in FW Area 1 config;
Add all networks except Net 22 in address range in Area 0 config;

My understanding: Open to clarifications 🙂

Restrictions and Ranges inside Area configuration is always into Area Backbone. (At least from the R80.30 Advanced Routing Admin Guide);
Is my only option to create a different Instance and use redistribution between OSPF instances ?

Thanks in advance for your help !

Bruno Petrónio

Re: Filtering networks between OSPF Areas

JackPrendergast — Thu, 11 Feb 2021 13:11:26 GMT

Hi Bruno.

Thank you for your detailed post.

Have you configured the ospf areas in cli?

Sometimes I find configuring OSPF is better in CLI.

This way, you can set the redistribution options for OSPF areas and also restrict to apply restrictions to areas.

A copy of your OSPF configuration maybe handy here - blanking out any ip addresses if you so wish to.

Please get this from running show configuration on the firewall CLI

Re: Filtering networks between OSPF Areas

Bruno_Petronio — Fri, 12 Feb 2021 09:13:43 GMT

Hi Jack,

I've done the config in GUI, but re-done in clish 🙂

I was thinking redistributing was about different protocols and not inside the same protocol (in same instance).

The ospf output config as the show route output

The router outputs:

Thanks in advance!

Re: Filtering networks between OSPF Areas

JackPrendergast — Fri, 12 Feb 2021 09:41:25 GMT

Hi Bruno,

To advertise the routes to the different area, you need to do a 'set ospf area xxxx range xxx.xxx.xxx.xx on

Then, as you have done above, to restrict routes, you need to do a 'set ospf area xxx range xxx.xx.xxx.xxx restrict on'

Let me know how you get on 🙂

Re: Filtering networks between OSPF Areas

Bruno_Petronio — Fri, 12 Feb 2021 12:04:32 GMT

Hi Jack,

Without doing the "set ospf instance default area 0 range xxx.xxx.xxx.xx on", im still getting in Router_2 all the networks belonging from Router_1 and all networks defined in the Firewall as belonging in Area0.

I give it the chance to try, and even if i allow the range 10.0.0.0/7 and then restrict the 11.11.11.0/24, (in area 0 configuration) i still see both (10.10.10.0/24 and 11.11.11.0/24) in my Router_2 learned by OSPF.

What i could see as different was when i did the same for 20.0.0.0/6, without restrict any i got a summarized route instead 3 individual.

Restriction still don't restrict from Area0 to Area 1.

In Admin guide they always mention add and restrict networks from other areas to Backbone... I'm wondering if this is a limitation ?!

😞

Re: Filtering networks between OSPF Areas

Bruno_Petronio — Fri, 26 Feb 2021 18:05:11 GMT

Just for the sake of sharing, i ended up creating a different instance with Area 1 and then redistributing what i needed.

Re: Filtering networks between OSPF Areas

genisis__ — Thu, 14 Sep 2023 09:53:24 GMT

One thing I would like to do is:
Ensure the Checkpoint is advertising only a default route into an OSPF area (NSSA), but learns other routes in that area, would the above achieve this?

So on the switch the only route it should pickup is a default route via the Checkpoint.
On the Checkpoint learn any connected routes and advertised routes from the switch.