Configure OSPFv3 on an Advanced Routing Engine
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- Cloud Management of NGFWs
-
- Management Interfaces
-
- Launch the Web Interface
- Use the Administrator Login Activity Indicators to Detect Account Misuse
- Manage and Monitor Administrative Tasks
- Commit, Validate, and Preview Firewall Configuration Changes
- Commit Selective Configuration Changes
- Export Configuration Table Data
- Use Global Find to Search the Firewall or Panorama Management Server
- Manage Locks for Restricting Configuration Changes
-
-
- Define Access to the Web Interface Tabs
- Provide Granular Access to the Monitor Tab
- Provide Granular Access to the Policy Tab
- Provide Granular Access to the Objects Tab
- Provide Granular Access to the Network Tab
- Provide Granular Access to the Device Tab
- Define User Privacy Settings in the Admin Role Profile
- Restrict Administrator Access to Commit and Validate Functions
- Provide Granular Access to Global Settings
- Provide Granular Access to the Panorama Tab
- Provide Granular Access to Operations Settings
- Panorama Web Interface Access Privileges
-
- Reset the Firewall to Factory Default Settings
-
- Plan Your Authentication Deployment
- Pre-Logon for SAML Authentication
- Configure SAML Authentication
- Configure Kerberos Single Sign-On
- Configure Kerberos Server Authentication
- Configure TACACS+ Authentication
- Configure TACACS Accounting
- Configure RADIUS Authentication
- Configure LDAP Authentication
- Configure Local Database Authentication
- Configure an Authentication Profile and Sequence
- Test Authentication Server Connectivity
- Troubleshoot Authentication Issues
-
- Keys and Certificates
- Default Trusted Certificate Authorities (CAs)
- Certificate Deployment
- Configure the Master Key
- Export a Certificate and Private Key
- Configure a Certificate Profile
- Configure an SSL/TLS Service Profile
- Configure an SSH Service Profile
- Replace the Certificate for Inbound Management Traffic
- Configure the Key Size for SSL Forward Proxy Server Certificates
-
- HA Overview
-
- Prerequisites for Active/Active HA
- Configure Active/Active HA
-
- Use Case: Configure Active/Active HA with Route-Based Redundancy
- Use Case: Configure Active/Active HA with Floating IP Addresses
- Use Case: Configure Active/Active HA with ARP Load-Sharing
- Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall
- Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses
- Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT in Layer 3
- HA Clustering Overview
- HA Clustering Best Practices and Provisioning
- Configure HA Clustering
- Refresh HA1 SSH Keys and Configure Key Options
- HA Firewall States
- Reference: HA Synchronization
-
- Use the Dashboard
- Monitor Applications and Threats
- Monitor Block List
-
- Report Types
- View Reports
- Configure the Expiration Period and Run Time for Reports
- Disable Predefined Reports
- Custom Reports
- Generate Custom Reports
- Generate the SaaS Application Usage Report
- Manage PDF Summary Reports
- Generate User/Group Activity Reports
- Manage Report Groups
- Schedule Reports for Email Delivery
- Manage Report Storage Capacity
- View Policy Rule Usage
- Use External Services for Monitoring
- Configure Log Forwarding
- Configure Email Alerts
-
- Configure Syslog Monitoring
-
- Traffic Log Fields
- Threat Log Fields
- URL Filtering Log Fields
- Data Filtering Log Fields
- HIP Match Log Fields
- GlobalProtect Log Fields
- IP-Tag Log Fields
- User-ID Log Fields
- Decryption Log Fields
- Tunnel Inspection Log Fields
- SCTP Log Fields
- Authentication Log Fields
- Config Log Fields
- System Log Fields
- Correlated Events Log Fields
- GTP Log Fields
- Audit Log Fields
- Syslog Severity
- Custom Log/Event Format
- Escape Sequences
- Forward Logs to an HTTP/S Destination
- Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors
- Monitor Transceivers
-
- User-ID Overview
- Enable User-ID
- Map Users to Groups
- Enable User- and Group-Based Policy
- Enable Policy for Users with Multiple Accounts
- Verify the User-ID Configuration
-
- App-ID Overview
- App-ID and HTTP/2 Inspection
- Manage Custom or Unknown Applications
- Safely Enable Applications on Default Ports
- Applications with Implicit Support
-
- Prepare to Deploy App-ID Cloud Engine
- Enable or Disable the App-ID Cloud Engine
- App-ID Cloud Engine Processing and Policy Usage
- New App Viewer (Policy Optimizer)
- Add Apps to an Application Filter with Policy Optimizer
- Add Apps to an Application Group with Policy Optimizer
- Add Apps Directly to a Rule with Policy Optimizer
- Replace an RMA Firewall (ACE)
- Impact of License Expiration or Disabling ACE
- Commit Failure Due to Cloud Content Rollback
- Troubleshoot App-ID Cloud Engine
- Application Level Gateways
- Disable the SIP Application-level Gateway (ALG)
- Maintain Custom Timeouts for Data Center Applications
-
- Decryption Overview
-
- Keys and Certificates for Decryption Policies
- SSL Forward Proxy
- SSL Forward Proxy Decryption Profile
- SSL Inbound Inspection
- SSL Inbound Inspection Decryption Profile
- SSL Protocol Settings Decryption Profile
- SSH Proxy
- SSH Proxy Decryption Profile
- Profile for No Decryption
- SSL Decryption for Elliptical Curve Cryptography (ECC) Certificates
- Perfect Forward Secrecy (PFS) Support for SSL Decryption
- SSL Decryption and Subject Alternative Names (SANs)
- TLSv1.3 Decryption
- High Availability Not Supported for Decrypted Sessions
- Decryption Mirroring
- Configure SSL Forward Proxy
- Configure SSL Inbound Inspection
- Configure SSH Proxy
- Configure Server Certificate Verification for Undecrypted Traffic
- Post-Quantum Cryptography Detection and Control
- Enable Users to Opt Out of SSL Decryption
- Temporarily Disable SSL Decryption
- Configure Decryption Port Mirroring
- Verify Decryption
- Activate Free Licenses for Decryption Features
-
- Policy Types
- Policy Objects
- Track Rules Within a Rulebase
- Enforce Policy Rule Description, Tag, and Audit Comment
- Move or Clone a Policy Rule or Object to a Different Virtual System
-
- External Dynamic List
- Built-in External Dynamic Lists
- Configure the Firewall to Access an External Dynamic List
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Exclude Entries from an External Dynamic List
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Register IP Addresses and Tags Dynamically
- Use Dynamic User Groups in Policy
- Use Auto-Tagging to Automate Security Actions
- CLI Commands for Dynamic IP Addresses and Tags
- Application Override Policy
- Test Policy Rules
-
- Network Segmentation Using Zones
- How Do Zones Protect the Network?
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure a PPPoE Client on a Subinterface
- Configure an IPv6 PPPoE Client
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- Dynamic IPv6 Addressing on the Management Interface
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure the Management Interface for Dynamic IPv6 Address Assignment
- Configure an Interface as a DHCP Relay Agent
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Create a Source NAT Rule with Persistent DIPP
- PAN-OS
- Strata Cloud Manager
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
-
-
PAN-OS 11.2
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
- Cloud Management and AIOps for NGFW
Configure OSPFv3 on an Advanced Routing Engine
Configure OSPFv3 on an advanced routing engine.
The Advanced Routing Engine supports OSPFv3,
which supports only IPv6 addressing. Before you configure OSPFv3,
you should understand OSPF Concepts.
Consider
the OSPFv3 Routing Profiles and filters that
you can apply to OSPFv3 and thereby save configuration time and
maintain consistency. You can create profiles and filters in advance
or as you configure OSPFv3.
- Configure general OSPFv3 routing options.
- Select NetworkRoutingLogical Routers and select the logical router.
- Select OSPFv3 and Enable it.
- Assign a Router ID to OPSFv3 for the logical router, which is typically an IPv4 address (even though OSPFv3 is for IPv6 addressing), to ensure the Router ID is unique.
- If you want to apply BFD to OSPFv3, select a BFD Profile you created, or select the default profile, or create a new BFD Profile to apply to all OSPFv3 interfaces belonging to the logical router. Default is None (Disable BFD).
- Select a Global General Timer profile or create a new one to set SPF throttle timers and to set the minimum interval between arriving instances of the same link-state advertisement (LSA).
- Select a Global Interface Timer profile or create a new one to set the hello interval, retransmit interval, and other settings.
- Select a Redistribution Profile or create a new one to redistribute IPv6 static routes, connected routes, IPv6 BGP routes, or the IPv6 default route to OSPFv3.
- Click OK.
- Create an OSPFv3 area and specify characteristics based on the type of area.
- Select NetworkRoutingLogical Routers and select the logical router.
- Select OSPFv3Area and Add an Area by Area ID (an IPv4 address).
- Specify the Type of area:
- Normal—There are no restrictions; the area can carry all types of routes.
- Stub—There is no outlet from the area. To reach a destination outside of the area, traffic must go through an Area Border Router (ABR), which connects to other areas and area 0.
- NSSA (Not So Stubby Area)—Traffic can leave the area directly, but only by using non-OSPF routes.
- (Stub and NSSA areas only) Select no-summary to prevent the area from receiving Type 3 Summary LSAs and thereby reduce traffic in the area.
- (NSSA area only) Select Default information originate to cause OSPFv3 to originate a default route.
- Enter a Metric for the default route; range is 1 to 16,777,214; default is 10.
- Select the Metric-Type: Type 1 or Type 2. Type E1 cost is the sum of the external cost plus the internal cost to reach that route. Type E2 is only the external cost of that route. This can be useful when you want to load-balance the same external route, for example.
- Select ABR if you want to configure filtering options.
- Select an Import-list or create a new Access List to filter Type-3 LSAs; applies to paths announced into the specified area as Type-3 summary LSAs.
- Select an Export-list or create a new Access List to filter Type-3 summary LSAs announced to other areas originated from intra-area paths from the specified area.
- Select an Inbound Filter List or create a new Prefix List to filter Type-3 summary LSAs coming into the area.If you apply an Import access list and Inbound prefix list, firewall uses an AND operation (both lists must be met).
- Select an Outbound Filter List or create a new Prefix List to filter Type-3 summary LSAs from the area.If you apply an Export access list and Outbound prefix list, firewall uses an AND operation (both lists must be met).
- If the Type of area is NSSA and ABR is selected, Add an IPv6 Prefix to summarize a group of external subnets into a single Type-7 LSA, which is then translated to a Type-5 LSA and advertised to the backbone when you select Advertise.
- Specify the network range that a Type-3 Summary LSA announces to the backbone area if the area contains at least one intra-area network (that is, described with router or network LSA) from this range.
- Select Range and Add an IPv6 Address/Netmask, which summarizes routes for the area. A Type-3 Summary LSA with routing information that matches the range is announced into the backbone area if the area contains at least one intra-area network from this range.
- Select Advertise to advertise matching subnets in LSAs to the backbone area. If Advertise is set to No, any matching intra-area prefixes that are present in the area will not be advertised in the backbone area.
- Add interfaces to the area.
- On the Interface tab, Add an Interface by selecting one.
- Enable the interface.
- Select MTU Ignore to ignore maximum transmission unit (MTU) mismatches when trying to establish an adjacency (default is disabled; MTU match checking occurs).
- Select Passive to prevent sending OSPF Hello packets out this interface and thus prevent the logical router from creating an OSPF adjacency with a neighbor; however, the interface is still included in the link-state database. You can make an interface passive, for example if it connects to a switch, because you don’t want to send Hello packets where there is no router.
- Keep the Instance ID set to 0 because only one instance of OSPFv3 is allowed.
- Select the Link Type:
- Broadcast—All neighbors that are accessible through the interface are discovered automatically by multicasting OSPF Hello messages, such as over an Ethernet interface.
- p2p (point-to-point)—Automatically discover the neighbor.
- p2mp (point-to-multipoint)—Neighbors must be defined manually: Add the Neighbor IPv6 address for all neighbors that are reachable through this interface and the Priority of each neighbor to be elected the designated router (DR) or backup DR; range is 0 to 255; default is 1.
- Enter a Priority for the interface—the priority for the router to be elected as a designated router (DR) or backup DR (BDR); range is 0 to 255; default is 1. If zero is configured, the router will not be elected as DR or BDR.
- Select an OSPFv3 Interface Timer Profile or create a new one to apply to the interface. This OSPFv3 Interface Timer profile overrides the Global Interface Timer applied to OSPFv3.
- Select an OSPFv3 Interface Authentication profile or create a new one to apply to the interface. This Authentication Profile overrides the Authentication Profile applied to the Area (on the Type tab).
- By default, the interface will inherit the BFD profile you applied to the logical router for OSPFv3 (Inherit-vr-global-setting). Alternatively, select the default profile, select a BFD Profile you created, create a new one, or select None (Disable BFD) to override the BFD Profile applied at the OSPFv3 level.
- Enter an OSPFv3 Cost for the interface, which influences route selection; range is 1 to 65,5535; default is 10. During route selection, a route with a lower cumulative cost (the added costs of each interface used) is preferred over a route with a higher cumulative cost.
- Click OK to save the interface.
- If the ABR does not have a physical link to the backbone area, configure a virtual link to a neighbor ABR within the same area that has a physical link to the backbone area.The following settings must be defined for area border routers (ABRs) and must be defined within the backbone area (0.0.0.0).
- Select Virtual Link.
- Add a Virtual Link by Name (a maximum of 31 characters).
- Enable the virtual link.
- Select the transit Area where the neighbor ABR that has the physical link to the backbone area is located.
- Enter the Router ID of the neighbor ABR on the remote end of the virtual link.
- Select an OSPFv3 Interface Timer Profile or create a new Timer Profile to apply to the virtual link. This OSPFv3 Interface Timer profile overrides the Global Interface Timer applied to OSPFv3 and the OSPFv3 Interface Timer profile applied to the interface.
- Select an OSPF Interface Authentication profile or create a new Authentication Profile to apply to the virtual link. This Authentication Profile overrides the Authentication Profile applied to the Area (on the Type tab) and the Authentication Profile applied to the interface.
- Click OK.
- Click OK to save the area.
- Configure advanced OSPFv3 features.
- Select NetworkRoutingLogical Routers and select the logical router.
- Select OSPFv3Advanced.
- Enable Graceful Restart to enable Graceful Restart for the logical router. Default is enabled.
- Enable Helper Mode to enable the logical router to function in Graceful Restart helper mode. Default is enabled.
- Enable Strict LSA Checking to cause the helper router to stop performing helper mode and to cause the graceful restart process to stop if a link-state advertisement indicates a network topology change. Default is enabled.
- Enter a Grace Period (sec)—the number of seconds within which the logical router will perform a graceful restart if the firewall goes down or becomes unavailable; range is 5 to 1,800; default is 120.
- Enter a Max Neighbor Restart Time (sec)—the maximum number of seconds of Grace Period that the logical router accepts from a neighbor when the logical router is in Helper Mode; range is 5 to 1,800; default is 140.
- Select Disable R-Bit and v6-Bit to clear the R-bit and V6-bit in router LSAs sent from this logical router to indicate that the firewall is not active. When in this state, the firewall participates in OSPFv3 but does not send transit traffic or IPv6 datagrams. In this state, local traffic will still be forwarded to the firewall. This is useful while performing maintenance with a dual-homed network because traffic can be re-routed around the firewall while it can still be reached. See RFC 5340.
- Click OK to save advanced settings.
- Configure intra-area filtering to determine which OSPFv3 routes are placed in the global RIB.You might learn OSPFv3 routes and redistribute them, but not want them in the global RIB; you might want to allow only specific OSPFv3 routes to the global RIB.
- Select NetworkRoutingLogical Routers and select a logical router.
- Select RIB Filter.
- To filter IPv6 OSPFv3 routes for the global RIB, for OSPFv3 Route-Map, select a Redistribution route map you created or create a new Redistribution Route Map in which the Source Protocol is OSPFv3 and the Destination Protocol is RIB.
- Click OK.
- (Optional) Change the default administrative distances for OSPFv3 Intra Area, OSPFv3 Inter Area, and OSPFv3 External Routes that pertain to the logical router.
- Commit.
- View advanced routing information for OSPFv3 and the link-state database (LSDB). The PAN-OS CLI Quick Start lists the commands in the CLI Cheat Sheet: Networking.