Configure OSPFv3
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
Cloud Management of NGFWs
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
-
-
- Configure a Filter Access List
- Configure a Filter Prefix List
- Configure a Filter Community List
- Configure a BGP Filter Route Map
- Configure a Filter Route Maps Redistribution List
- Configure a Filter AS Path Access List
- Configure an Address Family Profile
- Configure a BGP Authentication Profile
- Configure a BGP Redistribution Profile
- Configure a BGP Filtering Profile
- Configure an OSPF Authentication Profile
- Configure a Logical Router
- Configure a Static Route
- Configure OSPF
- Configure BGP
- Configure an IPSec Tunnel
- Web Proxy
- Cheat Sheet: GlobalProtect for Cloud Management of NGFWs
-
PAN-OS 11.1 & Later
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure a PPPoE Client on a Subinterface
- Configure an IPv6 PPPoE Client
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- Dynamic IPv6 Addressing on the Management Interface
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure the Management Interface for Dynamic IPv6 Address Assignment
- Configure an Interface as a DHCP Relay Agent
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Create a Source NAT Rule with Persistent DIPP
- PAN-OS
- Strata Cloud Manager
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
-
-
Cloud Management and AIOps for NGFW
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Configure OSPFv3
OSPF supports both IPv4 and IPv6. You must
use OSPFv3 if you
are using IPv6.
- Configure general virtual router settings.
- Configure general OSPFv3 configuration settings.
- Select the OSPFv3 tab.
- Select Enable to enable the OSPF protocol.
- Enter the Router ID.
- Select Reject Default Route if you do not want to learn any default routes through OSPFv3 This is the recommended default setting.Clear Reject Default Route if you want to permit redistribution of default routes through OSPFv3.
- Configure Auth Profile for the OSPFv3 protocol.While OSPFv3 doesn't include any authentication capabilities of its own, it relies entirely on IPSec to secure communications between neighbors.When configuring an authentication profile, you must use Encapsulating Security Payload (ESP) (recommended) or IPv6 Authentication Header (AH).ESP OSPFv3 authentication
- On the Auth Profiles tab, Add a name for the authentication profile to authenticate OSPFv3 messages.
- Specify a Security Policy Index (SPI) (hexadecimal value in the range from 00000000 to FFFFFFFF). The two ends of the OSPFv3 adjacency must have matching SPI values.
- Select ESP for Protocol.
- Select a Crypto Algorithm.You can select None or one of the following algorithms: SHA1, SHA256, SHA384, SHA512, or MD5.
- If a Crypto Algorithm other than None was selected, enter a value for Key and then confirm.
AH OSPFv3 authentication- On the Auth Profiles tab, Add a name for the authentication profile to authenticate OSPFv3 messages.
- Specify a Security Policy Index (SPI). The SPI must match between both ends of the OSPFv3 adjacency. The SPI number must be a hexadecimal value between 00000000 and FFFFFFFF.
- Select AH for Protocol.
- Select a Crypto Algorithm.You must enter one of the following algorithms: SHA1, SHA256, SHA384, SHA512, or MD5.
- Enter a value for Key and then confirm.
- Click OK.
- Click OK again in the Virtual Router - OSPF Auth Profile dialog.
- Configure Areas - Type for the OSPFv3 protocol.
- On the Areas tab, Add an Area ID. This is the identifier that each neighbor must accept to be part of the same area.
- On the General tab, select one of the following from the area Type list:
- Normal—There are no restrictions; the area can carry all types of routes.
- Stub—There is no outlet from the area. To reach a destination outside of the area, it is necessary to go through the border, which connects to other areas. If you select this option, configure the following:
- Accept Summary—Link state advertisements (LSA) are accepted from other areas. If this option on a stub area Area Border Router (ABR) interface is disabled, the OSPF area will behave as a Totally Stubby Area (TSA) and the ABR will not propagate any summary LSAs.
- Advertise Default Route—Default route LSAs will be included in advertisements to the stub area along with a configured metric value in the configured range 1-255.
- NSSA (Not-So-Stubby Area)—The firewall can leave the area only by routes other than OSPF routes. If selected, configure Accept Summary and Advertise Default Route as described for Stub. If you select this option, configure the following:
- Type—Select either Ext 1 or Ext 2 route type to advertise the default LSA.
- Ext Ranges—Add ranges of external routes that you want to enable or suppress advertising for.
- Associate an OSPFv3 authentication profile to an area or an interface.To an Area
- On the Areas tab, select an existing area from the table.
- On the General tab, select a previously defined Authentication Profile from the Authentication list.
- Click OK.
To an Interface- On the Areas tab, select an existing area from the table.
- Select the Interface tab and Add the authentication profile you want to associate with the OSPF interface from the Auth Profile list.
- Click OK.
- Click OK again to save the area settings.
- (Optional) Configure Export Rules.
- On the Export Rules tab, select Allow Redistribute Default Route to permit redistribution of default routes through OSPFv3.
- Click Add.
- Enter the Name; the value must be a valid IPv6 subnet or valid redistribution profile name.
- Select New Path Type, Ext 1 or Ext 2.
- Specify a New Tag for the matched route, using has a 32-bit value in dotted-decimal notation.
- Assign a Metric to the new rule (range is 1-16,777,215).
- Click OK.
- Configure Advanced OSPFv3 options.
- On the Advanced tab, select Disable Transit Routing for SPF Calculation if you want the firewall to participate in OSPF topology distribution without being used to forward transit traffic.
- Specify a value for the SPF Calculation Delay (sec) timer, which allows you to tune the delay time (in seconds) between receiving new topology information and performing an SPF calculation. Lower values enable faster OSPF re-convergence. Routers peering with the firewall should use the same delay value to optimize convergence times.
- Specify a value for the LSA Interval (sec) timer, which is the minimum time (in seconds) between transmissions of two instances of the same LSA (same router, same type, same LSA ID). This is equivalent to MinLSInterval in RFC 2328. Lower values can be used to reduce re-convergence times when topology changes occur.
- (Optional) Configure OSPF Graceful Restart.
- Click OK.
- Commit your changes.