topic Re: OSPF propagate local subnets in Firewall and Security Management

OSPF propagate local subnets

Wolfgang — Tue, 27 Feb 2024 15:00:05 GMT

I need some advice for the configuration to an export routemap with OSPF.
OSPF is configured and running fine, I receive all routes from external routers and we tested routemaps
for import filters with success. Only routes defined in routemaps are learned from external OSPF routers.

Now we want to propagate routes for local interfaces.
As an example, interface bond3.1000 has an IP in subnet 10.10.10.0/24 configured.
This network 10.10.10.0/24 should be propagate via OSPF on interface bond1.100

#########OSPF configuration##############
set ospf instance default graceful-restart-helper on
set ospf instance default spf-delay 2
set ospf instance default spf-holdtime 5
set ospf instance default default-ase-cost 1
set ospf instance default area backbone on
set ospf instance default area 10.10.0.0 on
set inbound-route-filter ospf2 instance default accept-all-ipv4

########OSPF interface configuration#########

set ospf instance default interface bond1.100 area 10.10.0.0 on
set ospf instance default interface bond1.100 hello-interval 10
set ospf instance default interface bond1.100 dead-interval 40
set ospf instance default interface bond1.100 cost 1
set ospf instance default interface bond1.100 priority 1
set ospf instance default interface bond1.100 retransmit-interval 5

#######routemap configuration##############

set routemap ospf_FW id 10 on
set routemap ospf_FW id 10 allow
set routemap ospf_FW id 10 match network 10.10.10.0/24 exact

set ospf instance default export-routemap ospf_FW preference 1 on

#### tried with match for the interface but with no success#####################
set routemap ospf_FW id 10 match interface bond3.1000

I'm sure something simple missed but at the moment I can't find the cause why my route is not send out via OSPF.

Re: OSPF propagate local subnets

Bob_Zimmerman — Tue, 27 Feb 2024 15:40:34 GMT

If it's just an interface the firewall owns which is full of endpoints, it's generally easier to add the interface to the OSPF instance and make it passive.

set ospf instance default interface bond3.1000 area 10.10.10.10 on set ospf instance default interface bond3.1000 passive on

I would only bother with route maps if you need to redistribute a bunch of static routes pointing out some transit interface.

Re: OSPF propagate local subnets

Wolfgang — Tue, 27 Feb 2024 16:57:52 GMT

Thanks @Bob_Zimmerman , that‘s what we did in the past. But with R81.20 we can‘t add more then 127 interfaces this way. See my post more then 127 OSPF interface routes

Suggestion was to use routemaps. We had a lot of micro DMZs configured on this gateway and need a way to achieve the same like before with R80.30.

Re: OSPF propagate local subnets

Bob_Zimmerman — Tue, 27 Feb 2024 17:55:26 GMT

I've redistributed a lot of static routes with a route map like this (one entry per exact route I want to redistribute):

set routemap toPartner id 10 on set routemap toPartner id 10 allow set routemap toPartner id 10 match network 10.16.32.0/22 exact set routemap toPartner id 10 match protocol static set routemap toPartner id 10 action metric value 20 set routemap toPartner id 10 action route-type type-2

Looks like you would need to use the protocol 'direct' (or maybe 'kernel') instead of static.

Re: OSPF propagate local subnets

the_rock — Tue, 27 Feb 2024 18:42:21 GMT

That looks right to me...TAC also gave us something similar last year. I thought there was an sk for it, but maybe not yet.

Best,

Andy

Re: OSPF propagate local subnets

the_rock — Tue, 27 Feb 2024 18:44:23 GMT

This sk might be relevant...

https://support.checkpoint.com/results/sk/sk102662

Re: OSPF propagate local subnets

Wolfgang — Wed, 28 Feb 2024 09:22:32 GMT

Tried to redistribute a static-route with success but for an existing interface still no success.

set routemap ospf_FW id 10 on
set routemap ospf_FW id 10 allow
set routemap ospf_FW id 10 match protocol direct
set routemap ospf_FW id 10 match interface bond3.1000
set routemap ospf_FW id 10 match network 10.10.10.0/24 exact

Tried with "protocol direct" and "protocol kernel", same problem.

Re: OSPF propagate local subnets

D_W — Wed, 28 Feb 2024 11:35:51 GMT

Have you tried route-redistribution?

set route-redistribution to ospf2 instance default from interface bond3.1000 on

Re: OSPF propagate local subnets

Wolfgang — Wed, 28 Feb 2024 13:09:46 GMT

@D_W we want to use routemaps, because we are more flexible with restrictions.

----edited-----But yes, we tried the route-redistribution with the same bad result.----edited-----

"route-redistribution" from interface to ospf does work. I set the wrong instance at first try.

Re: OSPF propagate local subnets

CheckPointerXL — Wed, 06 Mar 2024 19:53:50 GMT

i think mixing interface and subnet in match protocol direct statement is not correct

did you try this?

set routemap ospf_FW id 10 on
set routemap ospf_FW id 10 allow
set routemap ospf_FW id 10 match protocol direct
set routemap ospf_FW id 10 match interface bond3.1000