How to Enable OSPF on your Checkpoint Firewalls
This is an example of your firewall with 2 interfaces, eth1 on vlan 400 outside facing your company and eth4 vlan 500 internal facing to my company
set interface eth1 comments "VLAN-400 Outside facing YourCompany" set interface eth1 ipv4-address 100.155.112.111 mask-length 28 set interface eth4 comments "VLAN-500 Inside facing MyCompanyBCBSMA" set interface eth4 ipv4-address 100.155.112.127 mask-length 28 Enable OSPF set router-id 100.155.112.126 // vip of the inside Interface set ospf instance default area backbone on set ospf instance default interface eth1 area backbone on set ospf instance default interface eth1 cost 1 set ospf instance default interface eth1 priority 1 set ospf instance default interface eth4 area backbone on set ospf instance default interface eth4 cost 1 set ospf instance default interface eth4 priority 1 Enable OSPF Traces set tracefile size 10 set tracefile maxnum 20 set trace global all on set trace kernel all on set trace ospf all on save config
Show OSPF Summaryshow OSPF neighborsshow IP route show ospf border-routers show ospf interfaces show ospf interfaces stats show ospf interfaces detailed show ospf interface RELEVANT_INTERFACE show ospf interface RELEVANT_INTERFACE stats show ospf interface RELEVANT_INTERFACE detailed show ospf errors show ospf errors hello show ospf errors protocol show ospf events show ospf database show ospf database detailed show ospf database areas
set router-id 10.114.255.12
On Internet - Used 10.15.249.4 internal VIP IP address for Router-ID
myfwl-int01> show configuration Router-ID
set router-id 10.115.249.114
myfwl-int01>
myfwl-int02> show configuration Router-ID
set router-id 10.115.249.114
myfwl-int02>
To check the current mode on Security Gateway:
[Expert@HostName]# fw ctl multik prioq
MY_FW01> show configuration ospf
set ospf area 14 on
set ospf interface eth1-01 area 14 on
set ospf interface eth1-01 cost 1
set ospf interface eth1-01 priority 0
set ospf interface eth1-01 authtype md5 key 1 secret already_scrambled
set ospf interface eth1-04 priority 0
set ospf interface eth1-04 passive on
set ospf area backbone off
MY_FW01>
set static-route default nexthop gateway address 216.231.183.115 on
set route-redistribution to ospf2 from static-route default metric 10 on (Set OSPF with metric 10 cost 2)
set route-redistribution to ospf2 from static-route 216.218.191.100/25 metric 10 on (netscaler)
set route-redistribution to ospf2 from static-route 216.218.191.28/25 metric 10 on (netscaler)
set inbound-route-filter ospf2 accept-all-ipv4 (this command puts OSPF Database Routes to Firewall routing Kernel, without it firewall will not get the route)
set inbound-route-filter rip accept-all-ipv4
Needed Static routes
set static-route default nexthop gateway address 216.231.83.5 on
set static-route 10.20.59.0/24 nexthop gateway address 10.114.255.10 on
set static-route 10.210.7.0/24 nexthop gateway address 10.114.255.10 on
set static-route 216.118.191.0/25 nexthop gateway address 216.231.83.215 priority 1 on
set static-route 216.118.191.128/25 nexthop gateway address 216.231.83.216 priority 1 on
set static-route 100.105.128.0/24 nexthop gateway address 10.255.255.10 on
set static-route 100.200.159.0/24 nexthop gateway address 10.255.255.10 on
set static-route 100.210.107.0/24 nexthop gateway address 10.255.255.10 on
