>
    Configure OSPF
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. OSPF
    4. Configure OSPF
    Download PDF
    Next-Generation Firewall

    Configure OSPF

    Table of Contents

    Configure OSPF

    Configure OSPF for an IPv4 network.
    Where Can I Use This?What Do I Need?
    • NGFW
    For Strata Cloud Manager managed NGFWs:
    • Strata Cloud Manager Pro
    This protocol organizes networks into areas to reduce routing overhead and improve scalability, with Area 0 serving as the backbone area that connects all other areas. OSPF automatically adapts to network changes by detecting link failures and topology modifications, rapidly converging on new optimal paths to maintain efficient packet forwarding. The protocol supports features such as authentication for secure neighbor relationships, load balancing across equal-cost paths, and route summarization to minimize routing table size. Configuring OSPF on your firewall enables it to participate in dynamic routing with other OSPF-enabled devices, automatically learning and advertising routes while reducing the administrative overhead of maintaining static routes in complex network environments.
    After you understand OSPF concepts, perform the following procedure to configure OSPF.

    Configure OSPF (PAN-OS)

    Configure OSPF in PAN-OS and Panorama.
    1. Configure general virtual router settings.
    2. Enable OSPF.
      1. Select the OSPF tab.
      2. Select Enable to enable the OSPF protocol.
      3. Enter the Router ID.
      4. Select Reject Default Route if you do not want to learn any default routes through OSPF. This is the recommended, default setting.
        Clear Reject Default Route if you want to permit redistribution of default routes through OSPF.
    3. Configure Areas - Type for the OSPF protocol.
      1. On the Areas tab, Add an Area ID for the area in x.x.x.x format. This is the identifier that each neighbor must accept to be part of the same area.
      2. On the Type tab, select one of the following from the area Type list:
        • Normal—There are no restrictions; the area can carry all types of routes.
        • Stub—There is no outlet from the area. To reach a destination outside of the area, it is necessary to go through the border, which connects to other areas. If you select this option, configure the following:
          • Accept Summary—Link state advertisements (LSA) are accepted from other areas. If this option on a stub area Area Border Router (ABR) interface is disabled, the OSPF area will behave as a Totally Stubby Area (TSA) and the ABR will not propagate any summary LSAs.
          • Advertise Default Route—Default route LSAs will be included in advertisements to the stub area along with a configured metric value in the configured range 1-255.
        • NSSA (Not-So-Stubby Area)—The firewall can leave the area only by routes other than OSPF routes. If you select NSSA, select Accept Summary and Advertise Default Route as described for Stub. If you select this option, configure the following:
          • Type—Select either Ext 1 or Ext 2 route type to advertise the default LSA.
          • Ext RangesAdd ranges of external routes that you want to Advertise or for which you want to Suppress advertising.
      3. Click OK.
    4. Configure Areas - Range for the OSPF protocol
      1. On the Range tab, Add aggregate LSA destination addresses in the area into subnets.
      2. Advertise or Suppress advertising LSAs that match the subnet, and click OK. Repeat to add additional ranges.
    5. Configure Areas - Interfaces for the OSPF protocol
      1. On the Interface tab, Add the following information for each interface to be included in the area:
        • Interface—Select an interface.
        • Enable—Selecting this option causes the OSPF interface settings to take effect.
        • Passive—Select if you do not want the OSPF interface to send or receive OSPF packets. Although OSPF packets are not sent or received if you choose this option, the interface is included in the LSA database.
        • Link type—Choose Broadcast if you want all neighbors that are accessible through the interface to be discovered automatically by multicasting OSPF hello messages, such as an Ethernet interface. Choose p2p (point-to-point) to automatically discover the neighbor. Choose p2mp (point-to-multipoint) when neighbors must be defined manually and Add the neighbor IP addresses for all neighbors that are reachable through this interface.
        • Metric—Enter an OSPF metric for this interface (range is 0-65,535; default is 10).
        • Priority—Enter an OSPF priority for this interface. This is the priority for the router to be elected as a designated router (DR) or as a backup DR (BDR) (range is 0-255; default is 1). If zero is configured, the router will not be elected as a DR or BDR.
        • Auth Profile—Select a previously-defined authentication profile.
        • Timing—Modify the timing settings if desired (not recommended). For details on these settings, refer to the online help.
      2. Click OK.
    6. Configure Areas - Virtual Links.
      1. On the Virtual Link tab, Add the following information for each virtual link to be included in the backbone area:
        • Name—Enter a name for the virtual link.
        • Enable—Select to enable the virtual link.
        • Neighbor ID—Enter the router ID of the router (neighbor) on the other side of the virtual link.
        • Transit Area—Enter the area ID of the transit area that physically contains the virtual link.
        • Timing—It is recommended that you keep the default timing settings.
        • Auth Profile—Select a previously-defined authentication profile.
      2. Click OK to save virtual links.
      3. Click OK to save area.
    7. (Optional) Configure Auth Profiles.
      By default, the firewall does not use OSPF authentication for the exchange between OSPF neighbors. Optionally, you can configure OSPF authentication between OSPF neighbors by either a simple password or using MD5 authentication. MD5 authentication is recommended; it is more secure than a simple password.
      Simple Password OSPF authentication
      1. Select the Auth Profiles tab and Add a name for the authentication profile to authenticate OSPF messages.
      2. Select Simple Password as the Password Type.
      3. Enter a simple password and then confirm.
      MD5 OSPF authentication
      1. Select the Auth Profiles tab and Add a name for the authentication profile to authenticate OSPF messages.
      2. Select MD5 as the Password Type and Add one or more password entries, including:
        • Key-ID (range is 0-255)
        • Key
        • Select the Preferred option to specify that the key be used to authenticate outgoing messages.
      3. Click OK.
    8. Configure Advanced OSPF options.
      1. On the Advanced tab, select RFC 1583 Compatibility to ensure compatibility with RFC 1583.
      2. Specify a value for the SPF Calculation Delay (sec) timer, which allows you to tune the delay time (in seconds) between receiving new topology information and performing an SPF calculation. Lower values enable faster OSPF re-convergence. Routers peering with the firewall should use the same delay value to optimize convergence times.
      3. Specify a value for the LSA Interval (sec) timer, which is the minimum time between transmissions of two instances of the same LSA (same router, same type, same LSA ID). This is equivalent to MinLSInterval in RFC 2328. Lower values can be used to reduce re-convergence times when topology changes occur.
      4. Click OK.
    9. Commit your changes.

    Configure OSPF (SCM)

    Configure OSPF in PAN-OS and Panorama.
    Configure Open Shortest Path First (OSPF) for enable your logical router to determine the most cost efficient links to a traffic destination. OSPF determines routes dynamically by obtaining information from other routers and advertising routes to other routers by way of Link State Advertisements (LSA). The router keeps information about the links between it and the destination to make highly efficient routing decisions. A cost is assigned to each router interface, and the best routes are determined to be those with the lowest cost, when summed over all the encountered outbound interfaces and the interface receiving the LSA.
    1. Log in to Strata Cloud Manager.
    2. Select ManageConfigurationNGFW and Prisma AccessDevice SettingsRoutingLogical RoutersConfigurationNGFW and Prisma AccessDevice SettingsRoutingRouters and select the Configuration Scope where you want to configure OSPF for a logical router.
      You can select a folder or firewall from your Folders or select Snippets to configure OSPF for a logical router in a snippet.
      The number of logical routers supported varies based on the firewall model. If you create multiple logical routers for a folder or snippet, verify that the firewalls associated with the folder or snippet support the number of logical routers you configure.
    3. Configure a Logical Router.
    4. Edit the OSPF settings.
    5. Enable OSPF.
    6. Enter the Router ID.
    7. Select a predefined BFD Profile.
      Bidirectional Forwarding Detection (BFD) profiles allow you to apply BFD settings to a static route or routing protocol. Default is None (Disable BFD).
    8. Add OSPF Areas enter an Area ID in x.x.x.x format to identify that each neighbor must accept to be part of the same area.
      OSPF operates within a single autonomous system (AS). Networks within this single AS can be divided into a number of areas. By default Area zero (0) is created and can function alone or act as the OSPF backbone for larger number areas. Each OSPF area is named using a 32-bit identifier that in most cases is written in the same dotted-decimal notation as an IP4 address. For example, Area 0 is written as 0.0.0.0.
      Save your configured OSPF Areas.
    9. Configure OSPF Area Type.
      1. Select the Authentication profile used to authenticate OSPF messages.
        Create New to create a new authentication profile.
      2. For Inherit, select the BFD profile the OSPF Area.
        • Normal—In a normal OSPF area there are no restrictions; the area can carry all types of routes.
        • Stub—There’s no outlet from the area. To reach a destination outside of the area, it’s necessary to go through the border, which connects to other areas. If you select this option, configure the following:
          • No Summary—If enabled, the OSPF area behaves as a Totally Stubby Area (TSA) and the Area Border Router (ABR) doesn’t propagate summary link stats advertisements (LSA).
        • NSSA (Not-So-Stubby Area)—The firewall can leave the area only by routes other than OSPF routes. If you select this option, configure the following:
          • No Summary—If enabled, the OSPF area behaves as a Totally Stubby Area (TSA) and the Area Border Router (ABR) doesn’t propagate summary link stats advertisements (LSA).
          • Default Information Originate
          • Address Range for Summary External RoutesAdd ranges of external routes that you want to Advertise or for which you want to suppress advertising (disable Advertise).
    10. Configure the OSPF Area Range.
      1. Add aggregate LSA destination addresses in the area into subnets.
      2. Advertise or suppress (disable Advertise) advertising LSAs that match the subnet.
    11. Configure the OSPF Area Interface.
      1. Select an Interface.
      2. Enable to allow the OSPF interface settings to take effect.
      3. Enable MTU Ignore to ignore maximum transmission unit (MTU) mismatches when trying to establish an adjacency.
      4. Enable Passive if you don’t want the OSPF interface to send or receive OSPF packets. Although OSPF packets aren’t sent or received if you choose this option, the interface is included in the LSA database.
      5. Enter the OSPF Priority for the interface. This is the priority for the router to be elected as a designated router (DR) or as a backup DR (BDR).
        Range is 0-255; default is 1. If zero is configured, the router isn’t selected as a DR or BDR.
      6. Select the same Authentication Profile you selected in the previous step.
      7. Select the BFD Profile.
      8. Enter the Cost.
      9. Select the Inherit.
      10. Save.
    12. Save the OSPF configuration.
    13. Save the logical router configuration.
    14. Push Config to push your configuration changes.

    © 2025 Palo Alto Networks, Inc. All rights reserved.