Palo Alto Networks Firewall Does Not Redistribute Individual IP Addresses Via OSPF

Palo Alto Networks Firewall Does Not Redistribute Individual IP Addresses Via OSPF

22432
Created On 09/26/18 13:53 PM - Last Modified 06/15/23 22:44 PM


Resolution


Issue

The Palo Alto Networks firewall may have /32 IP addresses assigned to individual interfaces or loopback interfaces. However, those addresses will not be redistributed via OSPF, even if the interfaces are added to the OSPF redistribution profile.

 

Cause

A /32 address is considered a "host" address, and not a "connected" address. The Palo Alto Networks firewall can only redistribute the following types of routes:

  • bgp
  • connect
  • ospf
  • rip
  • static

Since "host" is not a selection, any /32 address will not be redistributed using a redistribution profile.

 

Resolution

Beginning with PAN-OS 5.0, single IP addresses can be added to the export rules of the virtual router:

  1. Navigate to Network > Virtual Routers.
  2. Select your virtual router.
  3. Go to the OSPF > Export Rules tab.
  4. Add the appropriate IP addresses. Specific IP addresses can be added with /32 notation for export.
    OSPF-Export-Rules.png

Note that this is not strictly redistribution. This will advertise the route but will not allow a non-host (learned) route to be redistributed in this fashion.

 

owner: gwesson
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClxDCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language