To see routes being learned by OSPF, use the following command
show routing protocol ospf lsdb
Get general routing data with
show routing route
Oi means ospf intra-area and is the subnet in which the virtual router has established OSPF peering relationships. If you have several /32 addresses in the same subnet as the larger /x on the interface, those /32 routes will also have Oi routes created with a metric of x + 10 where x is the value set at
Router > OSPF > Areas > 0.0.0.0 > Interface > [interface id] > Metric
To see what routes we are exporting to OSPF from all virtual routers, use the following command
show routing protocol redist ospf
To limit the output to a specific virutal router, use the following command
show routing protocol redist ospf virtual-router VR_NAME
If you enable OSPF and export a redistribution profile that has the source type configured but no filters, all routes will be exported.
Remember, the priority field in the redistribution profile has nothing to do with metrics. Is it to give a processing order for evaluating redistribution profiles. So, if you have a rule that distributes all static routes and set the priority to 10, you can then create a no-redist rule with a priority of 9 that matches static routes with a destination of 10.11.11.0/29. You then add this to an OSPF export rule and it will suppress that specific static route from being exported. All other static routes will be exported because they then match the general “export all static routes” redistribution profile which is attached to another export rule. Obviously the default rule doesn't come into this unless you have enabled default route redistribution.
If you redistribute all connected routes from one firewall to another, the list of redistributed routes will not include the link used for OSPF (that is covered by the ospf intra-area route. It will also not include any loopback IP addresses. It will include IP addresses that are on tunnel interfaces but it will not include GlobalProtect 'attached' subnets (even though they are listed as static routes in the FIB) unless you put an IP on the GlobalProtect tunnel interface.
If you import a redistributed route in OSPF that you already have as a connected route, the virtual router will not mark the imported route as 'active'.
Remember, if you set a redistribution profile to redistribute static routes matching 10.10.0.0/16, this will actually distribute all static routes that match 10.10.0.0/16 and anything more specific than that (e.g. 10.10.10.0/24).
The firewall places a metric on the ospf intra-area routes which are the subnets that the firewall establishes OSPF peering relationships in. For example, if you have an interface with an IP of 10.1.1.1/24 and you configure OSPF on it, the firewall will end up with an ospf intra-area route to 10.1.1.0/24 marked as Oi. The value of the metric is set in the following location. The priority value next to the metric is for the router to be elected as a designated router (DR) or as a backup DR (BDR) according to the OSPF protocol. When the value is zero, the router will not be elected as a DR or BDR.
Router > OSPF > Areas > 0.0.0.0 > Interface > [interface id] > Metric
When the firewall learns routes from another firewall, the route will show as an O1 or O2 route depending on whether the other firewall set the export rule new path type to ext-1 or ext-2.
When in doubt, set the new path type to ext-2.
If the remote firewall is exporting the route as ext-2, then it either does not set an export rule metric and defaults to a metric of 1 or a metric can be set. Because the new path type is set to ext-2, the local firewall will use the metric set by the remote firewall's export rule.
If the remote firewall is exporting the route as ext-1, then it either does not set an export rule metric and defaults to a metric of 1 or a metric can be set. Because the new path type is set to ext-1, the local firewall will use the metric set by the remote firewall's export rule. The local firewall will use that value and add it to the value in its own Router > OSPF > Areas > 0.0.0.0 > Interface > [interface id] > Metric field to determine the route weight.
With OSPF, you can summarise routes from one area to another if the firewall has an interface in one area and another interface in another area.
When you have a firewall with a leg in 0.0.0.0 and a leg in 0.0.0.2, if you configure “Range” in 0.0.0.0 with the summary path you want, that summary will be distributed, along with all other routes, into 0.0.0.2.
If you have two firewalls (active/active) doing this, then set the area 0.0.0.0 > Interface metric of the primary to 10 and the area 0.0.0.0 > Interface metric of the secondary to 11 and that means OSPF peers in 0.0.0.2 area will prefer to get their 0.0.0.0 area routes from the primary
If you want to redistribute loopback addresses, you will need to create a local static route that points the loopback IP (/32) to itself (IP) as the next hop. You can then redistribute the static route.
When setting OSPF over VPN links (tunnel interfaces), make sure that Link Type is set to p2p at the following configuration location.
Router > OSPF > Areas > 0.0.0.0 > Interface > tunnel.9 > Link Type
If you have two firewalls that connect to each over over VPN and over, say, MPLS, you can put both interfaces into Area 0.0.0.0. You can give the interface configuration in Area 0.0.0.0 the same metric. You can also use ext-2 in the export rules. This means that if MPLS fails, the VPN will take over with only a few ping drops. If the MPLS is then restored, it will take back control from VPN.
If you want MPLS and VPN to have different metrics to achieve the same result, set, in Area 0.0.0.0 the interface metric of MPLS to 1 and the metric of VPN to 2. Then set the export rule to be ext-1 and set the metric to 11. The means the MPLS metric when installed on the other firewall is 12 and the VPN is 13. This means that if MPLS fails, the VPN will take over with only a few ping drops. If the MPLS is then restored, it will take back control from VPN.
If you have OSPF from (e.g.) MPLS terminating on your firewall, you may also have a backup VPN to the other sites. You can create a static route with metric 20 for the VPN tunnel and OSPF will (depending on configuration) have a metric of 11. However, you may find PAN-OS selecting the static route with metric 20 over the OSPF route with metric 11. The issue is administrative distance. If you update the static route to have an administrative distance of 150, the OSPF route should suddenly get priority. I've tried 129 and that also worked. However, 75 seemed to leave me with the static route still being preferred. Not sure what the tipping point is.