This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Wolfgang
MVP Gold
MVP Gold
‎2024-02-27 07:00 AM

OSPF propagate local subnets

I need some advice for the configuration to an export routemap with OSPF.
OSPF is configured and running fine, I receive all routes from external routers and we tested routemaps
for import filters with success. Only routes defined in routemaps are learned from external OSPF routers.

Now we want to propagate routes for local interfaces.
As an example, interface bond3.1000 has an IP in subnet 10.10.10.0/24 configured.
This network 10.10.10.0/24 should be propagate via OSPF on interface bond1.100

#########OSPF configuration##############
set ospf instance default graceful-restart-helper on
set ospf instance default spf-delay 2
set ospf instance default spf-holdtime 5
set ospf instance default default-ase-cost 1
set ospf instance default area backbone on
set ospf instance default area 10.10.0.0 on
set inbound-route-filter ospf2 instance default accept-all-ipv4

########OSPF interface configuration#########

set ospf instance default interface bond1.100 area 10.10.0.0 on
set ospf instance default interface bond1.100 hello-interval 10
set ospf instance default interface bond1.100 dead-interval 40
set ospf instance default interface bond1.100 cost 1
set ospf instance default interface bond1.100 priority 1
set ospf instance default interface bond1.100 retransmit-interval 5

#######routemap configuration##############

set routemap ospf_FW id 10 on
set routemap ospf_FW id 10 allow
set routemap ospf_FW id 10 match network 10.10.10.0/24 exact

set ospf instance default export-routemap ospf_FW preference 1 on

#### tried with match for the interface but with no success#####################
set routemap ospf_FW id 10 match interface bond3.1000

 

I'm sure something simple missed but at the moment I can't find the cause why my route is not send out via OSPF.

0 Kudos
9 Replies
Bob_Zimmerman
MVP Gold
MVP Gold
‎2024-02-27 07:40 AM

If it's just an interface the firewall owns which is full of endpoints, it's generally easier to add the interface to the OSPF instance and make it passive.

set ospf instance default interface bond3.1000 area 10.10.10.10 on
set ospf instance default interface bond3.1000 passive on

I would only bother with route maps if you need to redistribute a bunch of static routes pointing out some transit interface. 

0 Kudos
Wolfgang
MVP Gold
MVP Gold
‎2024-02-27 08:57 AM
In response to Bob_Zimmerman

Thanks @Bob_Zimmerman , that‘s what we did in the past. But with R81.20 we can‘t add more then 127 interfaces this way. See my post  more then 127 OSPF interface routes 

Suggestion was to use routemaps. We had a lot of micro DMZs configured on this gateway and need a way to achieve the same like before with R80.30. 

 

Bob_Zimmerman
MVP Gold
MVP Gold
‎2024-02-27 09:55 AM
In response to Wolfgang

I've redistributed a lot of static routes with a route map like this (one entry per exact route I want to redistribute):

set routemap toPartner id 10 on
set routemap toPartner id 10 allow
set routemap toPartner id 10 match network 10.16.32.0/22 exact
set routemap toPartner id 10 match protocol static
set routemap toPartner id 10 action metric value 20
set routemap toPartner id 10 action route-type type-2

Looks like you would need to use the protocol 'direct' (or maybe 'kernel') instead of static.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-02-27 10:42 AM
In response to Bob_Zimmerman

That looks right to me...TAC also gave us something similar last year. I thought there was an sk for it, but maybe not yet.

Best,

Andy

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-02-27 10:44 AM
In response to Bob_Zimmerman

This sk might be relevant...

https://support.checkpoint.com/results/sk/sk102662

Best,
Andy
Wolfgang
MVP Gold
MVP Gold
‎2024-02-28 01:13 AM
In response to the_rock

Tried to redistribute a static-route with success but for an existing interface still no success.

set routemap ospf_FW id 10 on
set routemap ospf_FW id 10 allow
set routemap ospf_FW id 10 match protocol direct
set routemap ospf_FW id 10 match interface bond3.1000
set routemap ospf_FW id 10 match network 10.10.10.0/24 exact

Tried with "protocol direct" and "protocol kernel", same problem.

0 Kudos
D_W
Advisor
‎2024-02-28 03:35 AM
In response to Wolfgang

Have you tried route-redistribution?

set route-redistribution to ospf2 instance default from interface bond3.1000 on



0 Kudos
Wolfgang
MVP Gold
MVP Gold
‎2024-02-28 04:09 AM
In response to D_W

@D_W we want to use routemaps, because we are more flexible with restrictions.

----edited-----But yes, we tried the route-redistribution with the same bad result.----edited-----

"route-redistribution" from interface to ospf does work. I set the wrong instance at first try.

0 Kudos
CheckPointerXL
Advisor
Advisor
‎2024-03-06 11:53 AM
In response to Wolfgang

i think mixing interface and subnet in match protocol direct statement is not correct

did you try this?

 

set routemap ospf_FW id 10 on
set routemap ospf_FW id 10 allow
set routemap ospf_FW id 10 match protocol direct
set routemap ospf_FW id 10 match interface bond3.1000



0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events