All - I have 2 systems at two different locations connecting to the same BGP AS and I am accepting an advertised default route.
On the LAN side, I have a basic OSPF area0 which has a fiber-optic connection between the two locations configured as a P2P OSPF link.
I need access to the internet to fail over dynamically between these sites. To that end, I attempted to configure the PA systems to "Allow advertise default route" for their OSPF process. This did NOT work even though the learned BGP default route was installed in the routing table. OSPF did not start originating the default route until I specifically configured an export rule for 0.0.0.0/0.
The problem this creates is that when either router loses their BGP connection and the BGP learned default route is no longer in the table, the export rule ensures the firewall that can not forward to the internet is still advertising a default route via OSPF. That means that the networks transported through the down PA can't reach the internet unless I manually log in and stop OSPF on PA site A.
The LAN routers are Cisco which means I can do static route tracking or eem scripts or a few other things, but life would be much, much easier if the PA's handled default route advertising from OSPF in the way that Cisco does: 'default information originate' will advertise a default route via OSPF only if there's one in the route table, 'default information originate always' will result in the behavior the PA's are showing me now.
They won't advertise a default route *unless* an export rule for 0.0.0.0/0 is configured. Remove that rule, and it stops advertising. Can someone please help me determine if Pan OS is capable of only advertising a default route if there's one in the Global routing table, or if it's on/off with nothing in between?
the connectivity could not be more basic, I'm uploading a paint diagram of the scenario.
I actually think I need to redistribute that default route from BGP into OSPF, but when I use the 0.0.0.0/0 "filter" for the redistribution profile, it redistributes everything in the BGP table. I guess I'll try 0.0.0.0/32, but the default route origination documentation is terrible. It doesn't work as documented (In my attempts to set this up, it would NOT send the default route with out an export rule, which is NOT outlined in the document).
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClkmCAC <-- Not 100% correct.
So I just checked the 0.0.0.0/32 idea.
I get nothing.
So I either get the whole BGP routing table, or nothing - I can' seem to limit it to the defaults. I have to believe I'm not getting the syntax, it can't truly be like this. I'm going to manipulate this redistribution profile to inject specific routes into OSPF and see what happens, but I don't understand why an exact match like /32 won't get it done (/31 doesn't seem to work either), but "everybody" (/0) works just fine.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!