To see routes being learned by OSPF, use the following command

show routing protocol ospf lsdb

Get general routing data with

show routing route

Oi means ospf intra-area and is the subnet in which the virtual router has established OSPF peering relationships. If you have several /32 addresses in the same subnet as the larger /x on the interface, those /32 routes will also have Oi routes created with a metric of x + 10 where x is the value set at

Router > OSPF > Areas > 0.0.0.0 > Interface > [interface id] > Metric

To see what routes we are exporting to OSPF from all virtual routers, use the following command

show routing protocol redist ospf

To limit the output to a specific virutal router, use the following command

show routing protocol redist ospf virtual-router VR_NAME

If you enable OSPF and export a redistribution profile that has the source type configured but no filters, all routes will be exported.

Remember, the priority field in the redistribution profile has nothing to do with metrics. Is it to give a processing order for evaluating redistribution profiles. So, if you have a rule that distributes all static routes and set the priority to 10, you can then create a no-redist rule with a priority of 9 that matches static routes with a destination of 10.11.11.0/29. You then add this to an OSPF export rule and it will suppress that specific static route from being exported. All other static routes will be exported because they then match the general “export all static routes” redistribution profile which is attached to another export rule. Obviously the default rule doesn't come into this unless you have enabled default route redistribution.

If you redistribute all connected routes from one firewall to another, the list of redistributed routes will not include the link used for OSPF (that is covered by the ospf intra-area route. It will also not include any loopback IP addresses. It will include IP addresses that are on tunnel interfaces but it will not include GlobalProtect 'attached' subnets (even though they are listed as static routes in the FIB) unless you put an IP on the GlobalProtect tunnel interface.

If you import a redistributed route in OSPF that you already have as a connected route, the virtual router will not mark the imported route as 'active'.

The firewall places a metric on the ospf intra-area routes which are the subnets that the firewall establishes OSPF peering relationships in. For example, if you have an interface with an IP of 10.1.1.1/24 and you configure OSPF on it, the firewall will end up with an ospf intra-area route to 10.1.1.0/24 marked as Oi. The value of the metric is set in the following location. The priority value next to the metric is for the router to be elected as a designated router (DR) or as a backup DR (BDR) according to the OSPF protocol. When the value is zero, the router will not be elected as a DR or BDR.

Router > OSPF > Areas > 0.0.0.0 > Interface > [interface id] > Metric

When the firewall learns routes from another firewall, the route will show as an O1 or O2 route depending on whether the other firewall set the export rule new path type to ext-1 or ext-2.

When in doubt, set the new path type to ext-2.

If the remote firewall is exporting the route as ext-2, then it either does not set an export rule metric and defaults to a metric of 1 or a metric can be set. Because the new path type is set to ext-2, the local firewall will use the metric set by the remote firewall's export rule.

If the remote firewall is exporting the route as ext-1, then it either does not set an export rule metric and defaults to a metric of 1 or a metric can be set. Because the new path type is set to ext-1, the local firewall will use the metric set by the remote firewall's export rule. The local firewall will use that value and add it to the value in its own Router > OSPF > Areas > 0.0.0.0 > Interface > [interface id] > Metric field to determine the route weight.

With OSPF, you can summarise routes from one area to another if the firewall has an interface in one area and another interface in another area.

When you have a firewall with a leg in 0.0.0.0 and a leg in 0.0.0.2, if you configure “Range” in 0.0.0.0 with the summary path you want, that summary will be distributed, along with all other routes, into 0.0.0.2.

If you have two firewalls (active/active) doing this, then set the area 0.0.0.0 > Interface metric of the primary to 10 and the area 0.0.0.0 > Interface metric of the secondary to 11 and that means OSPF peers in 0.0.0.2 area will prefer to get their 0.0.0.0 area routes from the primary

If you want to redistribute loopback addresses, you will need to create a local static route that points the loopback IP (/32) to itself (IP) as the next hop. You can then redistribute the static route.

When setting OSPF over VPN links (tunnel interfaces), make sure that Link Type is set to p2p at the following configuration location.

Router > OSPF > Areas > 0.0.0.0 > Interface > tunnel.9 > Link Type

If you have two firewalls that connect to each over over VPN and over, say, MPLS, you can put both interfaces into Area 0.0.0.0. You can give the interface configuration in Area 0.0.0.0 the same metric. You can also use ext-2 in the export rules. This means that if MPLS fails, the VPN will take over with only a few ping drops. If the MPLS is then restored, it will take back control from VPN.

If you want MPLS and VPN to have different metrics to achieve the same result, set, in Area 0.0.0.0 the interface metric of MPLS to 1 and the metric of VPN to 2. Then set the export rule to be ext-1 and set the metric to 11. The means the MPLS metric when installed on the other firewall is 12 and the VPN is 13. This means that if MPLS fails, the VPN will take over with only a few ping drops. If the MPLS is then restored, it will take back control from VPN.