The firewall requires a virtual router to obtain routes to other subnets either using static routes that you manually define, or through participation in Layer 3 routing protocols (dynamic routes). Each Layer 3 interface, loopback interface, and VLAN interface defined on the firewall must be associated with a virtual router. Each interface can belong to only one virtual router.
Defining a virtual router requires general settings and any combination of static routes or dynamic routing protocols, as required by your network. You can also configure other features such as route redistribution and ECMP.
What do you want to know? See:
What are the required elements of a virtual router? General Settings of a Virtual Router
Configure: Static Routes
Route Redistribution
RIP
OSPF
OSPFv3
BGP
IP Multicast
ECMP
View information about a virtual router. More Runtime Stats for a Virtual Router
Looking for more? Networking
General Settings of a Virtual Router
All virtual routers require that you assign Layer 3 interfaces and administrative distance metrics as described in the following table.
Virtual Router General Settings Description
Name Specify a name to describe the virtual router (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Interfaces Select the interfaces that you want to include in the virtual router. Thus, they can be used as outgoing interfaces in the virtual router’s routing table. To specify the interface type, refer to Network > Interfaces. When you add an interface, its connected routes are added automatically.
Administrative Distances Specify the following administrative distances: Static routes —Range is 10-240; default is 10. OSPF Int —Range is 10-240; default is 30. OSPF Ext —Range is 10-240; default is 110. IBGP —Range is 10-240; default is 200. EBGP —Range is 10-240; default is 20. RIP —Range is 10-240; default is 120.
Static Routes
Optionally add one or more static routes. Click the IP or IPv6 tab to specify the route using an IPv4 or IPv6 address. It is usually necessary to configure default routes (0.0.0.0/0) here. Default routes are applied for destinations that are otherwise not found in the virtual router’s routing table.
Static Route Setting Description
Name Enter a name to identify the static route (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Destination Enter an IP address and network mask in Classless Inter-domain Routing (CIDR) notation using the format ip_address/mask: IPv4 example: 192.168.2.0/24 IPv6 example: 2001:db8::/32
Interface Select the interface to forward packets to the destination, or configure the next hop settings, or both.
Next Hop Select one of the following: IP Address —Select to enter the IP address of the next hop router. Next VR —Select to select a virtual router in the firewall as the next hop. This option allows you to route internally between virtual routers within a single firewall. Discard —Select if you want to drop traffic that is addressed to this destination. None —Select if there is no next hop for the route.
Admin Distance Specify the administrative distance for the static route (10-240; default is 10).
Metric Specify a valid metric for the static route (1 - 65,535).
No Install Select if you do not want to install the route in the route table (RIB). The route is retained in the configuration for future reference.
BFD Profile To enable Bidirectional Forwarding Detection (BFD) for a static route on a PA-3000 Series, PA-5000 Series, PA-7000 Series, or VM-Series firewall, select one of the following: default (default BFD settings) a BFD profile that you have created on the firewall New BFD Profile to create a new BFD profile Select None (Disable BFD) to disable BFD for the static route. To use BFD on a static route: Both the firewall and the peer at the opposite end of the static route must support BFD sessions. The static route Next Hop type must be IP Address and you must enter a valid IP address. The Interface setting cannot be None ; you must select an interface (even if you are using a DHCP address).
Route Redistribution
Redistribution profiles direct the firewall to filter, set priority, and perform actions based on desired network behavior. Route redistribution allows static routes and routes that are acquired by other protocols to be advertised through specified routing protocols.
Redistribution profiles must be applied to routing protocols in order to take effect. Without redistribution rules, each protocol runs separately and does not communicate outside its purview. Redistribution profiles can be added or modified after all routing protocols are configured and the resulting network topology is established.
Apply redistribution profiles to the RIP and OSPF protocols by defining export rules. Apply redistribution profiles to BGP in the Redistribution Rules tab. Refer to the following table.
Redistribution Profile Setting Description
Name Click Add to display the Redistribution Profile page, and enter the profile name.
Priority Enter a priority (range is 1-255) for this profile. Profiles are matched in order (lowest number first).
Redistribute Choose whether to perform route redistribution based on the settings in this window. Redist —Select to redistribute matching candidate routes. If you select this option, enter a new metric value. A lower metric value means a more preferred route. No Redist —Select to not redistribute matching candidate routes.
General Filter Tab
Type Select the route types of the candidate route.
Interface Select the interfaces to specify the forwarding interfaces of the candidate route.
Destination To specify the destination of the candidate route, enter the destination IP address or subnet (format x.x.x.x or x.x.x.x/n) and click Add. To remove an entry, click remove ( ).
Next Hop To specify the gateway of the candidate route, enter the IP address or subnet (format x.x.x.x or x.x.x.x/n) that represents the next hop and click Add. To remove an entry, click remove ( ).
OSPF Filter Tab
Path Type Select the route types of the candidate OSPF route.
Area Specify the area identifier for the candidate OSPF route. Enter the OSPF area ID (format x.x.x.x), and click Add. To remove an entry, click remove ( ).
Tag Specify OSPF tag values. Enter a numeric tag value (1-255), and click Add. To remove an entry, click remove ( ).
BGP Filter Tab
Community Specify a community for BGP routing policy.
Extended Community Specify an extended community for BGP routing policy.
RIP
Configuring the Routing Information Protocol (RIP) includes the following general settings.
RIP Setting Description
Enable Select this option to enable RIP.
Reject Default Route (Recommended) Select this option if you do not want to learn any default routes through RIP.
BFD To enable Bidirectional Forwarding Detection (BFD) for RIP globally for the virtual router on a PA-3000 Series, PA-5000 Series, PA-7000 Series, and VM-Series firewall, select one of the following: default (profile with the default BFD settings) a BFD profile that you have created on the firewall New BFD Profile to create a new BFD profile Select None (Disable BFD) to disable BFD for all RIP interfaces on the virtual router; you cannot enable BFD for a single RIP interface.
In addition, RIP settings on the following tabs must be configured:
Interfaces —See RIP Interfaces Tab. Timers —See RIP Timers Tab. Auth Profiles —See RIP Auth Profiles Tab. Export Rules —See RIP Export Rules Tab.
RIP Interfaces Tab
The following table describes RIP interface settings.
RIP – Interface Setting Description
Interface Select the interface that runs the RIP protocol.
Enable Select to enable these settings.
Advertise Select to enable advertisement of a default route to RIP peers with the specified metric value.
Metric Specify a metric value for the router advertisement. This field is visible only if you enable Advertise.
Auth Profile Select the profile.
Mode Select normal, passive, or send-only.
BFD To enable BFD for a RIP interface (and thereby override the BFD setting for RIP, as long as BFD is not disabled for RIP at the virtual router level), select one of the following: default (profile with the default BFD settings) a BFD profile that you created on the firewall New BFD Profile to create a new BFD profile Select None (Disable BFD) to disable BFD for the RIP interface.
RIP Timers Tab
The following table describes the timers that control RIP route updates and expirations.
RIP – Timer Setting Description
RIP Timing
Interval Seconds (sec) Define the length of the timer interval in seconds. This duration is used for the remaining RIP timing fields (range is 1-60).
Update Intervals Enter the number of intervals between route update announcements (range is 1-3,600).
Expire Intervals Enter the number of intervals between the time that the route was last updated to its expiration (range is 1-3,600).
Delete Intervals Enter the number of intervals between the time that the route expires to its deletion (range is 1-3,600).
RIP Auth Profiles Tab
By default, the firewall does not authenticate RIP messages between neighbors. To authenticate RIP messages between neighbors, create an authentication profile and apply it to an interface running RIP on a virtual router. The following table describes the settings for the Auth Profiles tab.
RIP – Auth Profile Setting Description
Profile Name Enter a name for the authentication profile to authenticate RIP messages.
Password Type Select the type of password (simple or MD5). If you select Simple, enter the simple password and then confirm. If you select MD5, enter one or more password entries including Key-ID (0-255), Key, and optional Preferred status. Click Add for each entry and then click OK. To specify the key to be used to authenticate outgoing messages, select the Preferred option.
RIP Export Rules Tab
RIP export rules allow you to control which routes the virtual router sends to peers.
RIP – Export Rules Setting Description
Allow Redistribute Default Route Select this option to permit the firewall to redistribute its default route to peers.
Redistribution Profile Click Add and select or create a redistribution profile that allows you to modify route redistribution, filter, priority, and action based on the desired network behavior. Refer to Route Redistribution.
OSPF
Configuring the Open Shortest Path First (OSPF) protocol requires configuring the following general settings.
OSPF Setting Description
Enable Select this option to enable the OSPF protocol.
Reject Default Route (Recommended) Select this option if you do not want to learn any default routes through OSPF.
Router ID Specify the router ID associated with the OSPF instance in this virtual router. The OSPF protocol uses the router ID to uniquely identify the OSPF instance.
BFD To enable Bidirectional Forwarding Detection (BFD) for OSPF globally for the virtual router on a PA-3000 Series, PA-5000 Series, PA-7000 Series, or VM-Series firewall, select one of the following: default (default BFD settings) a BFD profile that you have created on the firewall New BFD Profile to create a new BFD profile Select None (Disable BFD) to disable BFD for all OSPF interfaces on the virtual router; you cannot enable BFD for a single OSPF interface.
In addition, OSPF settings on the following tabs must be configured:
Areas —See OSPF Areas Tab. Auth Profiles —See OSPF Auth Profiles Tab. Export Rules —See OSPF Export Rules Tab. Advanced —See OSPF Advanced Tab.
OSPF Areas Tab
The following table describes OSPF area settings.
OSPF – Areas Setting Description
Areas
Area ID Configure the area over which the OSPF parameters can be applied. Enter an identifier for the area in x.x.x.x format. This is the identifier that each neighbor must accept to be part of the same area.
Type Select one of the following options. Normal —There are no restrictions; the area can carry all types of routes. Stub —There is no outlet from the area. To reach a destination outside of the area, it is necessary to go through the border, which connects to other areas. If you select this option, select Accept Summary if you want to accept this type of link state advertisement (LSA) from other areas. Also, specify whether to include a default route LSA in advertisements to the stub area along with the associated metric value (1-255). If the Accept Summary option on a stub area Area Border Router (ABR) interface is disabled, the OSPF area will behave as a Totally Stubby Area (TSA) and the ABR will not propagate any summary LSAs. NSSA (Not-So-Stubby Area)—It is possible to leave the area directly, but only by routes other than OSPF routes. If you select this option, select Accept Summary if you want to accept this type of LSA. Select Advertise Default Route to specify whether to include a default route LSA in advertisements to the stub area along with the associated metric value (1-255). Also, select the route type used to advertise the default LSA. Click Add in the External Ranges section and enter ranges if you want to enable or suppress advertising external routes that are learned through NSSA to other areas.
Range Click Add to aggregate LSA destination addresses in the area into subnets. Enable or suppress advertising LSAs that match the subnet, and click OK. Repeat to add additional ranges.
Interface Click Add and enter the following information for each interface to be included in the area, and click OK. Interface —Choose the interface. Enable —Cause the OSPF interface settings to take effect. Passive —Select this option if you do not want the OSPF interface to send or receive OSPF packets. Although OSPF packets are not sent or received if you choose this option, the interface is included in the LSA database. Link type —Choose Broadcast if you want all neighbors that are accessible through the interface to be discovered automatically by multicasting OSPF hello messages, such as an Ethernet interface. Choose p2p (point-to-point) to automatically discover the neighbor. Choose p2mp (point-to-multipoint) when neighbors must be defined manually. Defining neighbors manually is allowed only for p2mp mode. Metric —Enter the OSPF metric for this interface (0-65,535). Priority —Enter the OSPF priority for this interface (0-255). It is the priority for the router to be elected as a designated router (DR) or as a backup DR (BDR) according to the OSPF protocol. When the value is zero, the router will not be elected as a DR or BDR. Auth Profile —Select a previously-defined authentication profile. BFD —To enable Bidirectional Forwarding Detection (BFD) for an OSPF peer interface (and thereby override the BFD setting for OSPF, as long as BFD is not disabled for OSPF at the virtual router level), select one of the following: default (default BFD settings) a BFD profile that you have created on the firewall New BFD Profile to create a new BFD profile Select None (Disable BFD) to disable BFD for the OSPF peer interface. Hello Interval (sec) —Interval, in seconds, at which the OSPF process sends hello packets to its directly connected neighbors (range is 0-3,600; default is 10). Dead Counts —Number of times the hello interval can occur for a neighbor without OSPF receiving a hello packet from the neighbor, before OSPF considers that neighbor down. The Hello Interval multiplied by the Dead Counts equals the value of the dead timer (range is 3-20; default is 4). Retransmit Interval (sec) —Length of time, in seconds, that OSPF waits to receive a link-state advertisement (LSA) from a neighbor before OSPF retransmits the LSA (range is 0-3,600; default is 10). Transit Delay (sec) —Length of time, in seconds, that an LSA is delayed before it is sent out of an interface (range is 0-3,600; default is 1).
Interface (continued) Graceful Restart Hello Delay (sec) —Applies to an OSPF interface when Active/Passive High Availability is configured. Graceful Restart Hello Delay is the length of time during which the firewall sends Grace LSA packets at 1-second intervals. During this time, no hello packets are sent from the restarting firewall. During the restart, the dead timer (which is the Hello Interval multiplied by the Dead Counts) is also counting down. If the dead timer is too short, the adjacency will go down during the graceful restart because of the hello delay. Therefore, it is recommended that the dead timer be at least four times the value of the Graceful Restart Hello Delay. For example, a Hello Interval of 10 seconds and a Dead Counts of 4 yield a dead timer of 40 seconds. If the Graceful Restart Hello Delay is set to 10 seconds, that 10-second delay of hello packets is comfortably within the 40-second dead timer, so the adjacency will not time out during a graceful restart (range is 1-10; default is 10).
Virtual Link Configure the virtual link settings to maintain or enhance backbone area connectivity. The settings must be defined for area boarder routers, and must be defined within the backbone area (0.0.0.0). Click Add, enter the following information for each virtual link to be included in the backbone area, and click OK. Name —Enter a name for the virtual link. Neighbor ID —Enter the router ID of the router (neighbor) on the other side of the virtual link. Transit Area —Enter the area ID of the transit area that physically contains the virtual link. Enable —Select to enable the virtual link. Timing —It is recommended that you keep the default timing settings. Auth Profile —Select a previously-defined authentication profile.
OSPF Auth Profiles Tab
The following table describes the OSPF Auth Profile settings.
OSPF – Auth Profile Setting Description
Profile Name Enter a name for the authentication profile. To authenticate the OSPF messages, first define the authentication profiles and then apply them to interfaces on the OSPF tab.
Password Type Select the type of password (simple or MD5). If you select Simple, enter the password. If you select MD5 , enter one or more password entries, including Key-ID (0-255), Key, and optional Preferred status. Click Add for each entry, and then click OK. To specify the key to be used to authenticate outgoing message, select the Preferred option.
OSPF Export Rules Tab
The following table describes the OSPF export rule settings.
OSPF – Export Rules Setting Description
Allow Redistribute Default Route Select this option to permit redistribution of default routes through OSPF.
Name Select the name of a redistribution profile. The value must be an IP subnet or valid redistribution profile name.
New Path Type Choose the metric type to apply.
New Tag Specify a tag for the matched route that has a 32-bit value.
Metric (Optional) Specify the route metric to be associated with the exported route and used for path selection (range is 1-65535).
OSPF Advanced Tab
The following table describes the advanced settings for OSPF.
OSPF – Advanced Setting Description
RFC 1583 Compatibility Select this option to ensure compatibility with RFC 1583.
Timers SPF Calculation Delay (sec) —Allows you to tune the delay time between receiving new topology information and performing an SPF calculation. Lower values enable faster OSPF re-convergence. Routers peering with the firewall should be tuned in a similar manner to optimize convergence times. LSA Interval (sec) —Specifies the minimum time between transmissions of two instances of the same LSA (same router, same type, same LSA ID). This is equivalent to MinLSInterval in RFC 2328. Lower values can be used to reduce re-convergence times when topology changes occur.
Graceful Restart Enable Graceful Restart —Enabled by default, a firewall enabled for this feature will instruct neighboring routers to continue using a route through the firewall while a transition takes place that renders the firewall temporarily down. Enable Helper Mode —Enabled by default, a firewall enabled for this mode continues to forward to an adjacent device when that device is restarting. Enable Strict LSA Checking —Enabled by default, this feature causes an OSPF helper mode enabled firewall to exit helper mode if a topology change occurs. Grace Period (sec) —The period of time, in seconds, that peer devices should continue to forward to this firewall adjacencies are being re-established or the router is being restarted (range is 5-1,800; default is 120). Max Neighbor Restart Time —The maximum grace period, in seconds, that the firewall will accept as a help-mode router. If the peer devices offers a longer grace period in its grace LSA, the firewall will not enter helper mode (range is 5-1,800; default is 140).
OSPFv3
Configuring the Open Shortest Path First v3 (OSPFv3) protocol requires configuring the first three general settings (BFD is optional).
OSPFv3 Setting Description
Enable Select this option to enable the OSPF protocol.
Reject Default Route Select this option if you do not want to learn any default routes through OSPF.
Router ID Specify the router ID associated with the OSPF instance in this virtual router. The OSPF protocol uses the router ID to uniquely identify the OSPF instance.
BFD To enable Bidirectional Forwarding Detection (BFD) for OSPFv3 globally for the virtual router on a PA-3000 Series, PA-5000 Series, PA-7000 Series, and VM-Series firewall, select one of the following: default (default BFD settings) a BFD profile that you have created on the firewall New BFD Profile to create a new BFD profile (Select None (Disable BFD) to disable BFD for all OSPFv3 interfaces on the virtual router; you cannot enable BFD for a single OSPFv3 interface.)
In addition, OSPFv3 settings on the following tabs must be configured:
Areas —See OSPFv3 Areas Tab. Auth Profiles —See OSPFv3 Auth Profiles Tab. Export Rules —See OSPFv3 Export Rules Tab. Advanced —See OSPFv3 Advanced Tab.
OSPFv3 Areas Tab
The following table describes the OSPFv3 area settings.
OSPv3 – Areas Setting Description
Authentication Select the name of the Authentication profile that you want to specify for this OSPF area.
Type Select one of the following: Normal —There are no restrictions; the area can carry all types of routes. Stub —There is no outlet from the area. To reach a destination outside of the area, it is necessary to go through the border, which connects to other areas. If you select this option, select Accept Summary if you want to accept this type of link state advertisement (LSA) from other areas. Also, specify whether to include a default route LSA in advertisements to the stub area along with the associated metric value (1-255). If the Accept Summary option on a stub area Area Border Router (ABR) interface is disabled, the OSPF area will behave as a Totally Stubby Area (TSA) and the ABR will not propagate any summary LSAs. NSSA (Not-So-Stubby Area)—It is possible to leave the area directly, but only by routes other than OSPF routes. If you select this option, select Accept Summary if you want to accept this type of LSA. Specify whether to include a default route LSA in advertisements to the stub area along with the associated metric value (1-255). Also, select the route type used to advertise the default LSA. Click Add in the External Ranges section and enter ranges if you want to enable or suppress advertising external routes that are learned through NSSA to other areas
Range Click Add to aggregate LSA destination IPv6 addresses in the area by subnet. Enable or suppress advertising LSAs that match the subnet, and click OK. Repeat to add additional ranges.
Interface Click Add and enter the following information for each interface to be included in the area, and click OK. Interface —Choose the interface. Enable —Cause the OSPF interface settings to take effect. Instance ID —Enter an OSPFv3 instance ID number. Passive —Select this option to if you do not want the OSPF interface to send or receive OSPF packets. Although OSPF packets are not sent or received if you choose this option, the interface is included in the LSA database. Link type —Choose Broadcast if you want all neighbors that are accessible through the interface to be discovered automatically by multicasting OSPF hello messages, such as an Ethernet interface. Choose p2p (point-to-point) to automatically discover the neighbor. Choose p2mp (point-to-multipoint) when neighbors must be defined manually. Defining neighbors manually is allowed only for p2mp mode. Metric —Enter the OSPF metric for this interface (0-65,535). Priority —Enter the OSPF priority for this interface (0-255). It is the priority for the router to be elected as a designated router (DR) or as a backup DR (BDR) according to the OSPF protocol. When the value is zero, the router will not be elected as a DR or BDR. Auth Profile —Select a previously-defined authentication profile. BFD —To enable Bidirectional Forwarding Detection (BFD) for an OSPFv3 peer interface (and thereby override the BFD setting for OSPFv3, as long as BFD is not disabled for OSPFv3 at the virtual router level), select one of the following: default (default BFD settings) a BFD profile that you have created on the firewall New BFD Profile to create a new BFD profile Select None (Disable BFD) to disable BFD for the OSPFv3 peer interface. Hello Interval (sec) —Interval, in seconds, at which the OSPF process sends hello packets to its directly connected neighbors (range is 0-3,600; default is 10). Dead Counts —Number of times the hello interval can occur for a neighbor without OSPF receiving a hello packet from the neighbor, before OSPF considers that neighbor down. The Hello Interval multiplied by the Dead Counts equals the value of the dead timer (range is 3-20; default is 4). Retransmit Interval (sec) —Length of time, in seconds, that OSPF waits to receive a link-state advertisement (LSA) from a neighbor before OSPF retransmits the LSA (range is 0-3,600; default is 10). Transit Delay (sec) —Length of time, in seconds, that an LSA is delayed before it is sent out of an interface (range is 0-3,600; default is 1).
Interface (continued) Graceful Restart Hello Delay (sec) —Applies to an OSPF interface when Active/Passive High Availability is configured. Graceful Restart Hello Delay is the length of time during which the firewall sends Grace LSA packets at 1-second intervals. During this time, no hello packets are sent from the restarting firewall. During the restart, the dead timer (which is the Hello Interval multiplied by the Dead Counts) is also counting down. If the dead timer is too short, the adjacency will go down during the graceful restart because of the hello delay. Therefore, it is recommended that the dead timer be at least four times the value of the Graceful Restart Hello Delay. For example, a Hello Interval of 10 seconds and a Dead Counts of 4 yield a dead timer of 40 seconds. If the Graceful Restart Hello Delay is set to 10 seconds, that 10-second delay of hello packets is comfortably within the 40-second dead timer, so the adjacency will not time out during a graceful restart (range is 1-10; default is 10). Neighbors —For p2pmp interfaces, enter the neighbor IP address for all neighbors that are reachable through this interface.
Virtual Links Configure the virtual link settings to maintain or enhance backbone area connectivity. The settings must be defined for area boarder routers, and must be defined within the backbone area (0.0.0.0). Click Add, enter the following information for each virtual link to be included in the backbone area, and click OK. Name —Enter a name for the virtual link. Instance ID —Enter an OSPFv3 instance ID number. Neighbor ID —Enter the router ID of the router (neighbor) on the other side of the virtual link. Transit Area —Enter the area ID of the transit area that physically contains the virtual link. Enable —Select to enable the virtual link. Timing —It is recommended that you keep the default timing settings. Auth Profile —Select a previously-defined authentication profile.
OSPFv3 Auth Profiles Tab
The following table describes the OSPFv3 Auth Profile settings.
OSPF – Auth Profile Setting Description
Profile Name Enter a name for the authentication profile. To authenticate the OSPF messages, first define the authentication profiles and then apply them to interfaces on the OSPF tab.
SPI Specify the security parameter index (SPI) for packet traversal from the remote firewall to the peer.
Protocol Specify either of the following protocols: ESP —Encapsulating Security Payload protocol. AH —Authentication Header protocol
Crypto Algorithm Specify one of the following: None —No crypto algorithm will be used. SHA1 (default)—Secure Hash Algorithm 1. SHA256 —Secure Hash Algorithm 2. A set of four hash functions with a 256 bit digest. SHA384 —Secure Hash Algorithm 2. A set of four hash functions with a 384 bit digest. SHA512 —Secure Hash Algorithm 2. A set of four hash functions with a 512 bit digest. MD5 —The MD5 message-digest algorithm.
Key/Confirm Key Enter and confirm an authentication key.
Encryption ( ESP protocol only ) Specify one of the following: 3des (default)—applies Triple Data Encryption Algorithm (3DES) using three cryptographic keys of 56 bits. aes-128-cbc —applies the Advanced Encryption Standard (AES) using cryptographic keys of 128 bits. aes-192-cbc —applies the Advanced Encryption Standard (AES) using cryptographic keys of 192 bits. aes-256-cbc —applies the Advanced Encryption Standard (AES) using cryptographic keys of 256 bits. null —No encryption is used.
Key/Confirm Key Enter and confirm an encryption key.
OSPFv3 Export Rules Tab
The following table describes the OSPFv3 export rule settings.
OSPF – Export Rules Setting Description
Allow Redistribute Default Route Select this option to permit redistribution of default routes through OSPF.
Name Select the name of a redistribution profile. The value must be an IP subnet or valid redistribution profile name.
New Path Type Choose the metric type to apply.
New Tag Specify a tag for the matched route that has a 32-bit value.
Metric (Optional) Specify the route metric to be associated with the exported route and used for path selection (range is 1-65,535).
OSPFv3 Advanced Tab
The following table describes the advanced settings for OSPFv3.
OSPFv3 – Advanced Setting Description
Disable Transit Routing for SPF Calculation Select this option if you want to set the R-bit in router LSAs sent from this firewall to indicate that the firewall is not active. When in this state, the firewall participates in OSPFv3 but other routers do not send transit traffic. In this state, local traffic will still be forwarded to the firewall. This is useful while performing maintenance with a dual-homed network because traffic can be re-routed around the firewall while it can still be reached.
Timers SPF Calculation Delay (sec) —This option is a delay timer allowing you to tune the delay time between receiving new topology information and performing an SPF calculation. Lower values enable faster OSPF re-convergence. Routers peering with the firewall should be tuned in a similar manner to optimize convergence times. LSA Interval (sec) —The option specifies the minimum time between transmissions of two instances of the same LSA (same router, same type, same LSA ID). This is equivalent to MinLSInterval in RFC 2328. Lower values can be used to reduce re-convergence times when topology changes occur.
Graceful Restart Enable Graceful Restart —Enabled by default, a firewall enabled for this feature will instruct neighboring routers to continue using a route through the firewall while a transition takes place that renders the firewall temporarily down. Enable Helper Mode —Enabled by default, a firewall enabled for this mode continues to forward to an adjacent device when that device is restarting. Enable Strict LSA Checking —Enabled by default, this feature causes an OSPF helper mode enabled firewall to exit helper mode if a topology change occurs. Grace Period (sec) —The period of time, in seconds, that peer devices should continue to forward to this firewall adjacencies are being re-established or the router is being restarted (range is 5-1,800; default is 120). Max Neighbor Restart Time —The maximum grace period, in seconds, that the firewall will accept as a help-mode router. If the peer devices offers a longer grace period in its grace LSA, the firewall will not enter helper mode (range is 5-800; default is 140).
BGP
Configuring Border Gateway Protocol (BGP) requires configuring the first three settings (BFD is optional).
BGP Setting Description
Enable Select this option to enable BGP.
Router ID Enter the IP address to assign to the virtual router.
AS Number Enter the number of the AS to which the virtual router belongs, based on the router ID (range is 1-4,294,967,295).
BFD To enable Bidirectional Forwarding Detection (BFD) for BGP globally for the virtual router on a PA-3000 Series, PA-5000 Series, PA-7000 Series, or VM-Series firewall, select one of the following: default (default BFD settings) a BFD profile that you have created on the firewall New BFD Profile to create a new BFD profile Select None (Disable BFD) to disable BFD for all BGP interfaces on the virtual router; you cannot enable BFD for a single BGP interface. If you enable or disable BFD globally, all interfaces running BGP will be taken down and brought back up with the BFD function. This can disrupt all BGP traffic. Therefore, enable BFD on BGP interfaces during an off-peak time when a reconvergence will not impact production traffic.
In addition, BGP settings on the following tabs must be configured:
General —See BGP General Tab. Advanced —See BGP Advanced Tab. Peer Group —See BGP Peer Group Tab. Import —See BGP Import and Export Tabs. Export —See BGP Import and Export Tabs. Conditional Adv —See BGP Conditional Adv Tab. Aggregate —See BGP Aggregate Tab. Redist Rules —See BGP Redist Rules Tab.
BGP General Tab
The following table describes the BGP general settings.
BGP – General Setting Description
Reject Default Route Select this option to ignore any default routes that are advertised by BGP peers.
Install Route Select this option to install BGP routes in the global routing table.
Aggregate MED Select to enable route aggregation even when routes have different Multi-Exit Discriminator (MED) values.
Default Local Preference Specifies a value than can be used to determine preferences among different paths.
AS Format Select the 2-byte (default) or 4-byte format. This setting is configurable for interoperability purposes.
Always Compare MED Enable MED comparison for paths from neighbors in different autonomous systems.
Deterministic MED Comparison Enable MED comparison to choose between routes that are advertised by IBGP peers (BGP peers in the same autonomous system).
Auth Profiles Click Add to include a new authentication profile and configure the following settings: Profile Name —Enter a name to identify the profile. Secret/Confirm Secret —Enter and confirm a passphrase for BGP peer communications. Click remove ( ) to delete a profile.
BGP Advanced Tab
The following table describes the advanced settings for BGP.
BGP – Advanced Setting Description
Graceful Restart Activate the graceful restart option. Stale Route Time —Specify the length of time, in seconds, that a route can stay in the stale state (range is 1-3,600; default is 120). Local Restart Time —Specify the length of time, in seconds, that the firewall takes to restart. This value is advertised to peers (range is 1-3,600; default is 120). Max Peer Restart Time —Specify the maximum length of time, in seconds, that the firewall accepts as a grace period restart time for peer devices (range is 1-3,600; default is 120).
Reflector Cluster ID Specify an IPv4 identifier to represent the reflector cluster.
Confederation Member AS Specify the identifier for the AS confederation to be presented as a single AS to external BGP peers.
Dampening Profiles Settings include: Profile Name —Enter a name to identify the profile. Enable —Activate the profile. Cutoff —Specify a route withdrawal threshold above which a route advertisement is suppressed (range is 0.0-1,000.0; default is 1.25). Reuse —Specify a route withdrawal threshold below which a suppressed route is used again (range is 0.0-1,000.0; default is 5). Max. Hold Time —Specify the maximum length of time, in seconds, that a route can be suppressed, regardless of how unstable it has been (range is 0-3,600; default is 900). Decay Half Life Reachable —Specify the length of time, in seconds, after which a route’s stability metric is halved if the route is considered reachable (range is 0-3,600; default is 300). Decay Half Life Unreachable —Specify the length of time, in seconds, after which a route’s stability metric is halved if the route is considered unreachable (range is 0-3,600; default is 300). Click remove ( ) to delete a profile.
BGP Peer Group Tab
The following table describes the BGP peer group settings.
BGP – Peer Group Setting Description
Name Enter a name to identify the peer.
Enable Select to activate the peer.
Aggregated Confed AS Path Select this option to include a path to the configured aggregated confederation AS.
Soft Reset with Stored Info Select this option to perform a soft reset of the firewall after updating the peer settings.
Type Specify the type of peer or group and configure the associated settings (see below in this table for descriptions of Import Next Hop and Export Next Hop). IBGP —Specify Export Next Hop. EBGP Confed —Specify Export Next Hop. IBGP Confed —Specify Export Next Hop. EBGP —Specify the following: Import Next Hop Export Next Hop Remove Private AS (to force BGP to remove private AS numbers).
Import Next Hop Choose an option for next hop import: original —Use the Next Hop address provided in the original route advertisement. use-peer —Use the peer's IP address as the Next Hop address.
Export Next Hop Choose an option for next hop export: resolve —Resolve the Next Hop address using the local forwarding table. use-self —Replace the Next Hop address with this router's IP address to ensure that it will be in the forwarding path.
Peer To add a new peer, click New and configure the following settings: Name —Enter a name to identify the peer. Enable —Select to activate the peer. Peer AS —Specify the AS of the peer. Local Address —Choose a firewall interface and local IP address. Connection Options —Specify the following options: Auth Profile —Select the profile. Keep Alive Interval —Specify an interval after which routes from a peer are suppressed according to the hold time setting (range is 0-1,200 seconds; default is 30 seconds). Multi Hop —Set the time-to-live (TTL) value in the IP header (range is 1-255; default is 0). The default value of 0 means 2 for eBGP prior to PAN-OS 7.1.9, and it means 1 beginning with PAN-OS 7.1.9. The default value of 0 means 255 for iBGP. Open Delay Time —Specify the delay time between opening the peer TCP connection and sending the first BGP open message (range is 0-240 seconds; default is 0 seconds). Hold Time —Specify the period of time that may elapse between successive KEEPALIVE or UPDATE messages from a peer before the peer connection is closed. (range is 3-3,600 seconds; default is 90 seconds). Idle Hold Time —Specify the time to wait in the idle state before retrying connection to the peer (range is 1-3,600 seconds; default is 15 seconds). Peer Address —Specify the IP address and port of the peer. Advanced Options —Configure the following settings: Reflector Client —Select the type of reflector client ( Non-Client, Client, or Meshed Client). Routes that are received from reflector clients are shared with all internal and external BGP peers. Peering Type —Specify a bilateral peer, or leave unspecified. Max. Prefixes —Specify the maximum number of supported IP prefixes (1-100000 or unlimited). BFD —To enable Bidirectional Forwarding Detection (BFD) for a BGP peer (and thereby override the BFD setting for BGP, as long as BFD is not disabled for BGP at the virtual router level), select the default profile (default BFD settings), an existing BFD profile, Inherit-vr-global-setting to inherit BGP’s global BFD profile, or New BFD Profile to create a new BFD profile. Disable BFD disables BFD for the BGP peer. If you enable or disable BFD globally, all interfaces running BGP will be taken down and brought back up with the BFD function. This can disrupt all BGP traffic. When you enable BFD on the interface, the firewall will stop the BGP connection to the peer to program BFD on the interface. The peer device will see the BGP connection drop, which can result in a reconvergence that impacts production traffic. Therefore, enable BFD on BGP interfaces during an off-peak time when a reconvergence will not impact production traffic. Incoming Connections/Outgoing Connections —Specify the incoming and outgoing port numbers and Allow traffic to or from these ports.
BGP Import and Export Tabs
The following table describes the BGP import and export settings.
BGP – Import and Export Setting Description
Import Rules/Export Rules Click BGP Import Rules or Export Rules. To add a new rule, click Add and configure the following settings. General: Name —Specify a name to identify the rule. Enable —Select to activate the rule. Used by —Select the peer groups that will use this rule. Match: AS-Path Regular Expression —Specify a regular expression for filtering of AS paths. Community Regular Expression —Specify a regular expression for filtering of community strings. Extended Community Regular Expression —Specify a regular expression for filtering of extended community strings. Address Prefix —Specify IP addresses or prefixes for route filtering. MED —Specify a MED value for route filtering. Next Hop —Specify next hop routers or subnets for route filtering. From Peer —Specify peer routers for route filtering. Action —Specify an action ( Allow or Deny) to take when the match conditions are met. Additionally, if and only when you specify Allow, configure the following: Local Preference —Specify a local preference metric. MED —Specify a MED value (0- 65,535). Weight —Specify weight (0- 65,535). Next Hop —Specify a next hop router. Origin —Specify the path type of the originating route—IGP, EGP, or incomplete. AS Path Limit —Specify an AS path limit. AS Path —Specify an AS path— None, Remove, Prepend, or Remove and Prepend. Community —Specify a community option— None, Remove All, Remove Regex, Append, or Overwrite. Extended Community —Specify a community option— None, Remove All, Remove Regex, Append, or Overwrite. Dampening —Specify the dampening parameter. Click remove ( ) to delete a group. Click Clone to add a new group with the same settings as the selected group. A suffix is added to the new group name to distinguish it from the original group.
BGP Conditional Adv Tab
The BGP conditional advertisement feature allows you to control what route to advertise in the event that a different route is not available in the local BGP routing table (LocRIB), indicating a peering or reachability failure. This is useful in cases where you want to try to force routes to one AS over another, for example if you have links to the internet through multiple ISPs and you want traffic to be routed to one provider instead of the other unless there is a loss of connectivity to the preferred provider.
With conditional advertising, you can configure a Non-Exist filter that matches the prefix of the preferred route. If any route matching the Non-Exist filter is not found in the local BGP routing table, only then will the firewall allow advertisement of the alternate route (the route to the other, non-preferred provider) as specified in its Advertise filter. To configure conditional advertisement, select the Conditional Adv tab and click Add. The following describes how to configure the values in the fields.
BGP – Conditional Adv Setting Description
Policy Specify the policy name for this conditional advertisement rule.
Enable Select this option to enable BGP conditional advertisement.
Used By Click Add and select the peer groups that will use this conditional advertisement policy.
Non Exist Filters Use this tab to specify the prefix(es) of the preferred route. This specifies the route that you want to advertise, if it is available in the local BGP routing table. If a prefix is going to be advertised and matches a Non Exist filter, the advertisement will be suppressed. Click Add to create a non-exist filter. Non Exist Filters —Specify a name to identify this filter. Enable —Select to activate the filter. AS-Path Regular Expression —Specify a regular expression for filtering of AS paths. Community Regular Expression —Specify a regular expression for filtering of community strings. Extended Community Regular Expression —Specify a regular expression for filtering of extended community strings. MED —Specify a MED value for route filtering. Address Prefix —Click Add and then specify the exact NLRI prefix for the preferred route. Next Hop —Specify next hop routers or subnets for route filtering. From Peer —Specify peer routers for route filtering.
Advertise Filters Use this tab to specify the prefix(es) of the route in the Local-RIB routing table that should be advertised in the event that the route in the non-exist filter is not available in the local routing table. If a prefix is going to be advertised and does not match a Non Exist filter, the advertisement will occur. Click Add to create an advertise filter. Advertise Filters —Specify a name to identify this filter. Enable —Select to activate the filter. AS-Path Regular Expression —Specify a regular expression for filtering of AS paths. Community Regular Expression —Specify a regular expression for filtering of community strings. Extended Community Regular Expression —Specify a regular expression for filtering of extended community strings. MED —Specify a MED value for route filtering. Address Prefix —Click Add and then specify the exact NLRI prefix for the route to be advertised if the preferred route is not available. Next Hop —Specify next hop routers or subnets for route filtering. From Peer —Specify peer routers for route filtering.
BGP Aggregate Tab
The following table describes the BGP aggregate settings.
BGP – Aggregate Setting Description
Name Enter a name for the aggregation configuration.
Suppress Filters Define the attributes that will cause the matched routes to be suppressed.
Advertise Filters Define the attributes for the advertise filters that will ensure that any route that matches the defined filter will be advertised to peers.
Aggregate Route Attributes Define the attributes that will be used to match routes that will be aggregated.
BGP Redist Rules Tab
The following table describes the BGP redistribution rule settings.
BGP – Redistribution Rule Setting Description
Allow Redistribute Default Route Permits the firewall to redistribute its default route to BGP peers.
Name Enter an IP subnet or select a redistribution profile.
Enable Click to enable this redistribution rule.
Metric Enter a metric in the range 1-65535.
Redist Rules To add a new rule, click Add, configure the settings, and click Done. The parameters are described above in this table for the Import Rules and Export Rules tabs.
IP Multicast
Configuring Multicast protocols requires configuring the following standard setting.
Multicast Setting Description
Enable Select this option to enable multicast routing.
In addition, settings on the following tabs must be configured:
Rendezvous Point —See Multicast Rendezvous Point Tab. Interfaces —See Multicast Interfaces Tab. SPT Threshold —See Multicast SPT Threshold Tab. Source Specific Address Space —See Multicast Source Specific Address Tab. Advanced —See Multicast Advanced Tab.
Multicast Rendezvous Point Tab
The following table describes the multicast rendezvous point settings.
Multicast Setting – Rendezvous Points Description
RP Type Choose the type of Rendezvous Point (RP) that will run on this virtual router. A static RP must be explicitly configured on other PIM routers whereas a candidate RP is elected automatically. None —Choose if there is no RP running on this virtual router. Static —Specify a static IP address for the RP and choose options for RP Interface and RP Address from the drop-down. Select Override learned RP for the same group if you want to use the specified RP instead of the RP elected for this group. Candidate —Specify the following information for the candidate RP running on this virtual router: RP Interface —Select an interface for the RP. Valid interface types include loopback, L3, VLAN, aggregate Ethernet, and tunnel. RP Address —Select an IP address for the RP. Priority —Specify a priority for candidate RP messages (default 192). Advertisement interval —Specify an interval between advertisements for candidate RP messages. Group list —If you choose Static or Candidate, click Add to specify a list of groups for which this candidate RP is proposing to be the RP.
Remote Rendezvous Point Click Add and specify the following: IP address —Specify the IP address for the RP. Override learned RP for the same group —Select this option to use the specified RP instead of the RP elected for this group. Group —Specify a list of groups for which the specified address will act as the RP.
Multicast Interfaces Tab
The following table describes the multicast interface settings.
Multicast Setting – Interfaces Description
Name Enter a name to identify an interface group.
Description Enter an optional description.
Interface Click Add to specify one or more firewall interfaces.
Group Permissions Specify general rules for multicast traffic: Any Source —Click Add to specify a list of multicast groups for which PIM-SM traffic is permitted. Source-Specific —Click Add to specify a list of multicast group and multicast source pairs for which PIM-SSM traffic is permitted.
IGMP Specify rules for IGMP traffic. IGMP must be enabled for host facing interfaces (IGMP router) or for IGMP proxy host interfaces: Enable —Select this option to enable the IGMP configuration. IGMP Version —Choose version 1, 2, or 3 to run on the interface. Enforce Router-Alert IP Option —Select this option to require the router-alert IP option when speaking IGMPv2 or IGMPv3. This option must be disabled for compatibility with IGMPv1. Robustness —Choose an integer value to account for packet loss on a network (range is 1-7; default is 2). If packet loss is common, choose a higher value. Max Sources —Specify the maximum number of source-specific memberships allowed on this interface (0 = unlimited). Max Groups —Specify the maximum number of groups allowed on this interface. Query Configuration —Specify the following: Query interval —Specify the interval at which general queries are sent to all hosts. Max Query Response Time —Specify the maximum time between a general query and a response from a host. Last Member Query Interval —Specify the interval between group or source-specific query messages (including those sent in response to leave-group messages). Immediate Leave —Select this option to leave the group immediately when a leave message is received.
PIM configuration Specify the following Protocol Independent Multicast (PIM) settings: Enable —Select this option to allow this interface to receive and/or forward PIM messages Assert Interval —Specify the interval between PIM assert messages. Hello Interval —Specify the interval between PIM hello messages. Join Prune Interval —Specify the interval between PIM join and prune messages (seconds). Default is 60. DR Priority —Specify the designated router priority for this interface BSR Border —Select this option to use the interface as the bootstrap border. PIM Neighbors —Click Add to specify the list of neighbors that will communicate with using PIM.
Multicast SPT Threshold Tab
The following table describes the multicast Shortest Path Tree (SPT) threshold settings.
Multicast Setting – SPT Thresholds Description
Name The Shortest Path Tree (SPT) threshold defines the throughput rate (in kbps) at which multicast routing will switch from shared tree distribution (sourced from the rendezvous point) to source tree distribution. Click Add to specify the following SPT settings: Multicast Group Prefix —Specify the multicast IP address/prefix for which the SPT will be switched to source tree distribution when the throughput reaches the desired threshold (kbps). Threshold —Specify the throughput at which we'll switch from shared tree distribution to source tree distribution
Multicast Source Specific Address Tab
The following table describes the multicast source-specifc address space settings.
Multicast Setting – Source Specific Address Spaces Description
Name Defines the multicast groups for which the firewall will provide source-specific multicast (SSM) services. Click Add to specify the following settings for source-specific addresses: Name —Enter a name to identify this group of settings. Group —Specify groups for the SSM address space. Included —Select this option to include the specified groups in the SSM address space.
Multicast Advanced Tab
The following table describes the advanced settings for multicast.
Multicast Advanced Setting Description
Route Age Out Time (sec) Allows you to tune the duration, in seconds, for which a multicast route remains in the routing table on the firewall after the session ends (range is 210-7,200; default is 210).
ECMP
The following topics describe the Equal Cost Multiple Path (ECMP) feature.
What do you want to know? See:
What is ECMP? ECMP Overview
What are the fields available to configure ECMP? ECMP Settings
Looking for more? ECMP
ECMP Overview
Equal Cost Multiple Path (ECMP) processing is a networking feature that enables the firewall to use up to four equal-cost routes to the same destination. Without this feature, if there are multiple equal-cost routes to the same destination, the virtual router chooses one of those routes from the routing table and adds it to its forwarding table; it will not use any of the other routes unless there is an outage in the chosen route. Enabling ECMP functionality on a virtual router allows the firewall have up to four equal-cost paths to a destination in its forwarding table, allowing the firewall to:
Load balance flows (sessions) to the same destination over multiple equal-cost links. Make use of the available bandwidth on links to the same destination rather than leave some links unused. Dynamically shift traffic to another ECMP member to the same destination if a link fails, rather than having to wait for the routing protocol or RIB table to elect an alternative path. This can help reduce down time when links fail.
ECMP load balancing is done at the session level, not at the packet level. This means that the firewall chooses an equal-cost path at the start of a new session, not each time a packet is received.
Enabling, disabling, or changing ECMP on an existing virtual router causes the system to restart the virtual router, which might cause existing sessions to be terminated.
To configure ECMP for a virtual router, select a virtual router and, for Router Settings, select the ECMP tab and configure the settings shown in the following table.
ECMP Settings
The following table describes the ECMP settings.
ECMP Setting Description
Enable Click Enable to enable ECMP. Enabling, disabling, or changing ECMP requires that you restart the firewall, which might cause sessions to be terminated.
Symmetric Return (Optional) Select Symmetric Return to cause return packets to egress out the same interface on which the associated ingress packets arrived. That is, the firewall will use the ingress interface on which to send return packets, rather than use the ECMP interface, so the Symmetric Return setting overrides load balancing. This behavior occurs only for traffic flows from the server to the client.
Max Path Select the maximum number of equal-cost paths (2, 3, or 4) to a destination network that can be copied from the RIB to the FIB. Default is 2.
Method Choose one of the following ECMP load-balancing algorithms to use on the virtual router. ECMP load balancing is done at the session level, not at the packet level. This means that the firewall (ECMP) chooses an equal-cost path at the start of a new session, not each time a packet is received. IP Modulo —By default, the virtual router load balances sessions using this option, which uses a hash of the source and destination IP addresses in the packet header to determine which ECMP route to use. IP Hash —Optionally click Use Source/Destination Ports to include the ports in the hash calculation, in addition to the source and destination IP addresses. You can also enter a Hash Seed value (an integer) to further randomize load balancing. Weighted Round Robin —This algorithm can be used to take into consideration different link capacities and speeds. Upon choosing this algorithm, the Interface window opens. Click Add and select an Interface to be included in the weighted round robin group. For each interface, enter the Weight to be used for that interface. Weight defaults to 100; range is 1-255. The higher the weight for a specific equal-cost path, the more often that equal-cost path will be selected for a new session. A higher speed link should be given a higher weight than a slower link, so that more of the ECMP traffic goes over the faster link. Click Add again to add another interface and weight. Balanced Round Robin —Distributes incoming ECMP sessions equally across links.
More Runtime Stats for a Virtual Router
After you have configured a portion of a virtual router, from the Network > Virtual Routers page, you can see information for a particular virtual router by clicking More Runtime Stats in the last column. The window displays the following tabs:
Routing —See Routing Tab. RIP —See RIP Tab. BGP —See BGP Tab. Multicast —See Multicast Tab.
Routing Tab
The following table describes the virtual router’s Runtime Stats for Routing.
Routing Runtime Stat Description
Destination IPv4 address and netmask or IPv6 address and prefix length of networks the virtual router can reach.
Next Hop IP address of the device at the next hop toward the Destination network. A next hop of 0.0.0.0 indicates the default route.
Metric Metric for the route.
Flags A?B —Active and learned via BGP. A C —Active and a result of an internal interface (connected) - Destination = network. A H —Active and a result of an internal interface (connected) - Destination = Host only. A R —Active and learned via RIP. A S —Active and static. S —Inactive (because this route has a higher metric) and static. O1 —OSPF external type-1. O2 —OSPF external type-2. Oi —OSPF intra-area. Oo —OSPF inter-area.
Age Age of the route entry in the routing table. Static routes have no age.
Interface Egress interface of the virtual router that will be used to reach the next hop.
RIP Tab
The following table describes the virtual router’s Runtime Stats for RIP.
RIP Runtime Stat Description
Summary Tab
Interval Seconds Number of seconds in an interval; this value affects the Update, Expire, and Delete Intervals.
Update Intervals Number of Intervals between RIP route advertisement updates that the virtual router sends to peers.
Expire Intervals Number of Intervals since the last update the virtual router received from a peer, after which the virtual router marks the routes from the peer as unusable.
Delete Intervals Number of Intervals after a route has been marked as unusable that, if no update is received, the route is deleted from the routing table.
Interface Tab
Address IP address of an interface on the virtual router where RIP is enabled.
Auth Type Type of authentication—simple password, MD5, or none.
Send Allowed Check mark indicates this interface is allowed to send RIP packets.
Receive Allowed Check mark indicates this interface is allowed to receive RIP packets.
Advertise Default Route Check mark indicates that RIP will advertise its default route to its peers.
Default Route Metric Metric (hop count) assigned to the default route. The lower the metric value, the higher priority it has in the route table to be selected as the preferred path.
Key Id Authentication key used with peers.
Preferred Preferred key for authentication.
Peer Tab
Peer Address IP address of a peer to the virtual router’s RIP interface.
Last Update Date and time that the last update was received from this peer.
RIP Version RIP version the peer is running.
Invalid Packets Count of invalid packets received from this peer. Possible causes that the firewall cannot parse the RIP packet—x bytes over a route boundary, too many routes in packet, bad subnet, illegal address, authentication failed, or not enough memory.
Invalid Routes Count of invalid routes received from this peer. Possible causes—route is invalid, import fails, or not enough memory.
BGP Tab
The following table describes the virtual router’s Runtime Stats for BGP.
BGP Runtime Stat Description
Summary Tab
Router Id Router ID assigned to the BGP instance.
Reject Default Route Indicates whether the Reject Default Route option is configured, which causes the VR to ignore any default routes that are advertised by BGP peers.
Redistribute Default Route Indicates whether the Allow Redistribute Default Route option is configured.
Install Route Indicates whether the Install Route option is configured, which causes the VR to install BGP routes in the global routing table.
Graceful Restart Indicates whether or not Graceful Restart is enabled (support).
AS Size Indicates whether the AS Format size selected is 2 Byte or 4 Byte.
Local AS Number of the AS to which the VR belongs.
Local Member AS Local Member AS number (valid only if the VR is in a confederation). The field is 0 if the VR is not in a confederation.
Cluster ID Displays the Reflector Cluster ID configured.
Default Local Preference Displays the Default Local Preference configured for the VR.
Always Compare MED Indicates whether the Always Compare MED option is configured, which enables a comparison to choose between routes from neighbors in different autonomous systems.
Aggregate Regardless MED Indicates whether the Aggregate MED option is configured, which enables route aggregation even when routes have different MED values.
Deterministic MED Processing Indicates whether the Deterministic MED comparison option is configured, which enables a comparison to choose between routes that are advertised by IBGP peers (BGP peers in the same AS).
Current RIB Out Entries Number of entries in the RIB Out table.
Peak RIB Out Entries Peak number of Adj-RIB-Out routes that have been allocated at any one time.
Peer Tab
Name Name of the peer.
Group Name of the peer group to which this peer belongs.
Local IP IP address of the BGP interface on the VR.
Peer IP IP address of the peer.
Peer AS Autonomous system to which the peer belongs.
Password Set Yes or no indicates whether authentication is set.
Status Status of the peer, such as Active, Connect, Established, Idle, OpenConfirm, or OpenSent.
Status Duration (sec) Duration of the peer’s status.
Peer Group Tab
Group Name Name of a peer group.
Type Type of peer group configured, such as EBGP or IBGP.
Aggregate Confed. AS Yes or no indicates whether the Aggregate Confederation AS option is configured.
Soft Reset Support Yes or no indicates whether the peer group supports soft reset. When routing policies to a BGP peer change, routing table updates might be affected. A soft reset of BGP sessions is preferred over a hard reset because a soft reset allows routing tables to be updated without clearing the BGP sessions.
Next Hop Self Yes or no indicates whether this option is configured.
Next Hop Third Party Yes or no indicates whether this option is configured.
Remove Private AS Indicates whether updates will have private AS numbers removed from the AS_PATH attribute before the update is sent.
Local RIB Tab
Prefix Network prefix and subnet mask in the Local Routing Information Base.
Flag * indicates the route was chosen as the best BGP route.
Next Hop IP address of the next hop toward the Prefix.
Peer Name of peer.
Weight Weight attribute assigned to the Prefix. If the firewall has more than one route to the same Prefix, the route with the highest weight is installed in the IP routing table.
Local Pref. Local preference attribute for the route, which is used to choose the exit point toward the prefix if there are multiple exit points. A higher local preference is preferred over a lower local preference.
AS Path List of autonomous systems in the path to the Prefix network; the list is advertised in BGP updates.
Origin Origin attribute for the Prefix; how BGP learned of the route.
MED Multi-Exit Discriminator (MED) attribute of the route. The MED is a metric attribute for a route, which the AS advertising the route suggests to an external AS. A lower MED is preferred over a higher MED.
Flap Count Number of flaps for the route.
RIB Out Tab
Prefix Network routing entry in the Routing Information Base.
Next Hop IP address of the next hop toward the Prefix.
Peer Peer to which the VR will advertise this route.
Local Pref. Local preference attribute to access the prefix, which is used to choose the exit point toward the prefix if there are multiple exit points. A higher local preference is preferred over a lower local preference.
AS Path List of autonomous systems in the path to the Prefix network.
Origin Origin attribute for the Prefix; how BGP learned of the route.
MED Multi-Exit Discriminator (MED) attribute to the Prefix. The MED is a metric attribute for a route, which the AS advertising the route suggests to an external AS. A lower MED is preferred over a higher MED.
Adv. Status Advertised status of the route.
Aggr. Status Indicates whether this route is aggregated with other routes.
Multicast Tab
The following table describes the virtual router’s Runtime Stats for IP Multicast.
Multicast Runtime Stat Description
FIB Tab
Group Multicast group address that the VR will forward.
Source Multicast source address.
Incoming Interfaces Indicates interfaces where the multicast traffic comes in on the VR.
IGMP Interface Tab
Interface Interface that has IGMP enabled.
Version Version 1, 2, or 3 of Internet Group Management Protocol (IGMP).
Querier IP address of the IGMP querier on that interface.
Querier Up Time Length of time that IGMP querier has been up.
Querier Expiry Time Time remaining before the current the Other Querier Present timer expires.
Robustness Robustness variable of the IGMP interface.
Groups Limit Number of multicast groups allowed on the interface.
Sources Limit Number of multicast sources allowed on the interface.
Immediate Leave Yes or no indicates whether Immediate Leave is configured. Immediate leave indicates that the virtual router will remove an interface from the forwarding table entry without sending the interface IGMP group-specific queries.
IGMP Membership Tab
Interface Name of an interface to which the membership belongs.
Group IP Multicast group address.
Source Source address of multicast traffic.
Up Time Length of time this membership been up.
Expiry Time Length of time remaining before membership expires.
Filter Mode Include or exclude the source. VR is configured to include all traffic, or only traffic from this source (include), or traffic from any source except this one (exclude).
Exclude Expiry Time remaining before the interface Exclude state expires.
V1 Host Timer Time remaining until the local router assumes that there are no longer any IGMP Version 1 members on the IP subnet attached to the interface.
V2 Host Timer Time remaining until the local router assumes that there are no longer any IGMP Version 2 members on the IP subnet attached to the interface.
PIM Group Mapping Tab
Group IP address of the group mapped to a Rendezvous Point.
RP IP address of Rendezvous Point for the group.
Origin Indicates where the VR learned of the RP.
PIM Mode ASM or SSM.
Inactive Indicates that the mapping of the group to the RP is inactive.
PIM Interface Tab
Interface Name of interface participating in PIM.
Address IP address of the interface.
DR IP address of the Designated Router on the interface.
Hello Interval Hello interval configured (in seconds).
Join/Prune Interval Join/Prune interval configured (in seconds).
Assert Interval Assert interval configured (in seconds).
DR Priority Priority configured for the Designated Router.
BSR Border Yes or no.
PIM Neighbor Tab
Interface Name of interface in the VR.
Address IP address of the neighbor.
Secondary Address Secondary IP address of the neighbor.
Up Time Length of time the neighbor has been up.
Expiry Time Length of time remaining before the neighbor expires because the VR is not receiving hello packets from the neighbor.
Generation ID Value that the VR received from the neighbor in the last PIM hello message received on this interface.
DR Priority Designated Router priority that the VR received in the last PIM hello message from this neighbor.

Related Documentation