Note - Gaia does not have CLI commands for route filtering and redistribution. You must configure inbound routing policies and redistribution of routes through the Gaia Portal. You can configure route maps and route aggregation using CLI commands. Route map configuration done through the CLI takes precedence over route filtering and redistribution configured in the Gaia Portal. For example if OSPF uses route maps for inbound filtering, anything configured on the Gaia Portal page for inbound route filters for OSPF is ignored. You can still use the Gaia Portal to configure route redistribution into OSPF.

set router-id {default | <ip_address>}

Parameter

Description

default

Selects the highest interface address when OSPF is enabled.

<ip_address>

Specifies a specific IP address to assign as the router ID. Do not use 0.0.0.0 as the router ID address. Best Practice - Check Point recommends setting the router ID rather than relying on the default setting. Setting the router ID prevents the ID from changing if the default interface used for the router ID goes down.

The Router ID uniquely identifies the router in the autonomous system. The router ID is used by the BGP and OSPF protocols. We recommend setting the router ID rather than relying on the default setting. This prevents the router ID from changing if the interface used for the router ID goes down. Use an address on a loopback interface that is not the loopback address (127.0.0.1).

Note - In a cluster, you must select a router ID and make sure that it is the same on all cluster members.

• Range: Dotted-quad.([0-255].[0-255].[0-255].[0-255]). Do not use 0.0.0.0
• Default: The interface address of one of the local interfaces.

set ospf [instance <1-65535>]

default-ase-cost <cost>

default-ase-type {1 | 2}

force-hellos {on | off | timer {default | <2-10>}}

graceful-restart-helper {on | off}

graceful-restart {on | off | grace-period <seconds>}

rfc1583-compatibility {on | off}

spf-delay {default | <delay>}

spf-holdtime {default | <holdtime>}

instance <1-65535>

Enter the applicable instance number.

rfc1583-compatibility {on | off}

Ensure backward compatibility. This option is on by default.

spf-delay {default | <delay>}

Specify the <delay> value, in seconds, to wait before recalculating the OSPF routing table after a change in the topology. The default is 2 seconds.

spf-holdtime {default | <holdtime>}

Specify the minimum <holdtime>, in seconds, between recalculations of the OSPF routing table. The default is 5 seconds.

default-ase-cost <cost>

Specify the cost assigned to routes from other protocols that are redistributed into OSPF as autonomous systems external. If the route has a cost already specified, that cost takes precedent. Valid cost values are between 1 and 6777215.

default-ase-type {1 | 2}

Specify the type assigned to routes from other protocols that are redistributed into OSPF as autonomous systems external. If the route has a type already specified, that type takes precedent. Valid type values are 1 or 2.

force-hellos

In addition to OSPF regular hello packets, OSPF sends out hello packets at specified intervals when it processes updates or synchronizes routes.

Default: Off

force-hellos timer

The time in seconds between one forced hello message to the next.

Value: 2-10

Default: 5

graceful-restart-helper {on | off}

Specify whether the Check Point system should maintain the forwarding state advertised by peer routers, even when they restart, to minimize the negative effects caused by peer routers restarting.

graceful-restart {on | off | grace-period <seconds>}

Configure Graceful Restart - turn it on, turn it off, or set the grace period to a value between 1 and 1800 seconds. The default grace period is 120 seconds.

set ospf

[instance <1-65535>]

area {backbone | <ospf_area_name>} {on | off}

range <ip_range>

off

on

restrict

stub

default-cost <1-677215>

off

on

summary

stub-network <ip_range>

off

on

stub-network-cost

nssa {on | off}

default-cost <1-677215>

default-metric-type <1-2>

import-summary-routes {on | off}

range <ip_range> {on | off | restrict}

redistribution {on | off}

translator-role {always | candidate}

translator-stability-interval <1-65535>

Parameter

Description

[instance <1-65535>]

Enter the applicable instance number. The configuration is applicable to OSPF Multiple Instances.

backbone

Specifies whether to enable or disable the backbone area. By default, the backbone area is enabled. You can disable the backbone area if the system does not have interfaces on the backbone area.

<ospf_area_name>

Specifies the area ID for a new OSPF area. You can enter the area ID in two formats:

• An integer between 0 and 4294967295
• A dotted quad form. For example, 0.0.0.1 for area ID 1

Best Practice - Check Point recommends that you enter the area ID as a dotted quad. The area ID 0.0.0.0 is reserved for the backbone.

area range <ip_range> {on | off | restrict}

Select an area from the areas already configured.
You can configure any area with any number of address ranges. An address range is defined by an IP prefix and a mask length. These ranges are used to reduce the number of routing entries that a given area transmits to other areas. If a given prefix aggregates a number of more specific prefixes within an area, you can configure an address range that becomes the only prefix advertised to other areas. Make sure you do not configure an address range that covers part of a prefix that is not contained within an area. If you mark a range as restrict, it is not advertised to other areas.

stub {on | off}

Specifies the area ID for a stub area. Stub areas are areas that do not have AS external routes.

Note - The backbone area cannot be a stub area.

stub default-cost <1-677215>

Specifies a default route into the stub area with the specified cost.

stub summary {on | off}

Specifies the OSPF area as totally stubby. This means that it does not have any AS external routes and its area border routers do not advertise summary routes.

stub-network <ip_range> {on | off | stub-network-cost}

Specifies a stub network to which the specified interface range belongs. Configure a stub network to advertise reachability to prefixes that do not run OSPF. The advertised prefix appears as an OSPF internal route and is filtered at area borders with the OSPF area ranges. The prefix must be directly reachable on the router where the stub network is configured. This means that one of the router’s interface addresses must fall within the prefix range to be included in the router-link-state advertisement. Use a mask length of 32 to configure the stub host. The local address of a point-to-point interface can activate the advertised prefix and mask. To advertise reachability to such an address, enter an IP address for the prefix and a non-zero cost for the prefix.

nssa {on | off}

Specifies the area ID for an NSSA.

Note - The backbone area cannot be an NSSA area.

nssa default-cost <1-677215>

Specifies the cost associated with the default route to the NSSA.

nssa default-metric-type <1-2>

Specifies the type of metric. The default, type 1, is equivalent to the Default ASE Route Type on the OSPF Portal page. A type 1 route is internal and its metric can be used directly by OSPF for comparison. A type 2 route is external and its metric cannot be used for comparison directly.

nssa import-summary-routes {on | off}

Specifies if summary routes (summary link advertisements) are imported into the NSSA.

nssa translator-role {always | candidate}

Specifies whether this NSSA border router will unconditionally translate Type-7 LSAs into Type-5 LSAs. When role is Always, Type-7 LSAs are translated into Type-5 LSAs regardless of the translator state of other NSSA border routers. When role is Candidate, this router participates in the translator election to determine if it will perform the translations duties.

nssa translator-stability-inter<1-65535>

Specifies how long in seconds this elected Type-7 translator will continue to perform its translator duties once it has determined that its translator status has been assumed by another NSSA border router. Default: 40 seconds.

nssa redistribution {on | off}

Specifies if both Type-5 and Type-7 LSAs or only Type-7 LSAs will be originated by this NSSA border router.

nssa range <ip_range> {on | off | restrict}

Specify the range of addresses to reduce the number of Type-5 LSAs for the NSSA border router. To prevent a specific prefix from being advertised, use the restrict argument.

set ospf [instance <1-65535>] interface <if_name>

area {backbone  |  <ospf_area_name>} {on  |  off}

authtype

cryptographic key <key> {off | algorithm <algorithm> secret <secret>}

none

simple <password>

cost <1-65535>

dead-interval {default | <1-65535>}

hello-interval {default | <1-65535>}

ip-reachability-detection {on | off}

passive {on | off}

priority <0-255>

retransmit-interval {default | <1-65535>}

subtract-authlen {on | off}

virtual-address {on | off}

Parameter

Description

[instance <1-65535>]

Enter the applicable instance number. The configuration is applicable to OSPF Multiple Instances.

area {backbone |  <ospf_area_name>} {on | off}

Specifies the OSPF area to which the specified interface belongs.

hello-interval {default | <1-65535>}

Specifies the interval, in seconds, between hello packets that the router sends on the specified interface. For a given link, this value mset ospfust be the same on all routers or adjacencies do not form.

Default: 10 seconds.

dead-interval {default | <1-65535>}

Specifies the number of seconds after which a router stops receiving hello packets that it declares the peer down. Generally, you should set this value at 4 times the value of the hello interval. Do not set the value at 0. For a given link, this value must be the same on all routers or adjacencies do not form.

Default: 40 seconds.

retransmit-interval <1-65535>

Specifies the number of seconds between link state advertisement transmissions for adjacencies belonging to the specified interface. This value also applies to database description and link state request packets. Set this value conservatively, that is, at a significantly higher value than the expected round-trip delay between any two routers on the attached network.

retransmit-interval default

Specifies the default for the retransmit interval, which is 5 seconds.

cost <1-65535>

Specifies the weight of the given path in a route. The higher the cost, the less preferred the link. To use one interface over another for routing paths, assign one a higher cost.

priority <0-255>

Specifies the priority for becoming the designated router (DR) on the specified link. When two routers attached to a network attempt to become a designated router, the one with the highest priority wins. This option prevents the DR from changing too often. The DR option applies only to a share-media interface, such as Ethernet or FDDI; a DR is not elected on a point-to-point type interface. A router with a priority of 0 is not eligible to become the DR.

passive {on | off}

Enabling this option puts the specified interface into passive mode; that is, hello packets are not sent from the interface. Putting an interface into passive mode means that no adjacencies are formed on the link. This mode enables the network associated with the specified interface to be included in intra-area route calculation rather than redistributing the network into OSPF and having it function as an autonomous system external.

authtype

cryptographic key <key> algorithm <algorithm> secret <secret>

none

simple <password>

Specifies which type of authentication scheme to use for a given OSPF link. This feature guarantees that routing information is accepted only from trusted routers.

In general, all routers on an OSPF interface or link must agree on the OSPF authentication settings to form OSPF adjacencies. The OSPF authentication algorithm creates a crypto checksum of an OSPF packet and an authentication key. The receiving router performs a calculation using the correct authentication key and discards the OSPF packet, if the key does not match. In addition, the receiving router keeps a sequence number to prevent the replay of older OSPF packets.

Options are:

• none: Does not authenticate OSPF packets.

  This is the default option.

• simple: Provides little protection, because the key is sent in the clear, and it is possible to capture packets from the network and learn the authentication key. Uses an alphanumeric key from 1 to 8 characters.

• cryptographic: Provides much stronger protection with the OSPFv2 HMAC-SHA authentication (RFC 5709). Authentication guarantees that routing information is accepted only from trusted routers. This OSPFv2 HMAC-SHA authentication is backward-compatible with the OSPFv2 MD5 authentication feature.

  For cryptographic authentication, you must configure at least one key - with Key ID, Algorithm, and Secret.

  If you configure multiple keys:

  • When transmitting OSPF packets, Gaia uses the key with the highest Key ID. Gaia includes a message digest or message authentication code in the outgoing OSPF packets to enable receivers to authenticate them.
  • When transmitting OSPF packets, Gaia accepts all the keys.

  Configuration:

  • key - Enter an integer value from 1 to 255.
  • algorithm - Select a cryptographic authentication algorithm. The available algorithms are listed in the decreasing order of their cryptographic strength:

    Important - Both OSPF sides must agree on these settings for the OSPF authentication to work.

    • hmac-sha-512 - Provides a cryptographic SHA-512 hash based on the configured secret.
    • hmac-sha-384 - Provides a cryptographic SHA-384 hash based on the configured secret.
    • hmac-sha-256 - Provides a cryptographic SHA-256 hash based on the configured secret. We recommend this algorithm for best interoperability.
    • hmac-sha-1 - Provides a cryptographic SHA-1 hash based on the configured secret.
    • md5 - Provides a cryptographic MD5 hash based on the configured key.
  • secret - Enter a shared secret for cryptographic authentication.
    • For HMAC - Alphanumeric key from 1 to 80 characters.
    • For MD5 - Alphanumeric key from 1 to 16 characters.

ip-reachability-detection {on | off}

Sets Bidirectional Forwarding Detection for OSPF peers. You can set Bidirectional Forwarding Detection (BFD) on each OSPF Security Gateway and cluster member that sends or receives BFD packets.

Before you begin:

• Make sure the firewall policy passes UDP port 3784 in both directions.
• Make sure the SmartConsole topology is correct (issues with incorrect firewall topology can cause anti-spoofing to interfere with BFD traffic).

subtract-authlen {on | off}

Subtract the size of the authentication information from the advertised interface MTU, which leads to an MTU mismatch with newer versions.

Use this option when you configure OSPF over a Virtual Link with older versions of the IPSO OS (4.x and lower) or Gaia OS (R76 and lower).

set ospf [instance <1-65535>] area backbone virtual-link <ip_address> transit-area <ospf_area>

{on | off}

authtype

cryptographic key <key> {off | algorithm <algorithm> secret <secret>}

none

simple <password>

dead interval {default | <1-4294967295>}

hello-interval {default | <1-65535>}

retransmit-interval {default | <1-4294967295>}

[instance <1-65535>]

Enter the applicable instance number. The configuration is applicable to OSPF Multiple Instances.

virtual-link <ip_address>

Specifies the Router ID of the other endpoint for this Virtual Link.

transit-area <ospf_area> {on | off}

Specifies the transit area, which is a specified OSPF area you configure using the set ospf area command. Configure the OSPF area you are using as the transit area before you configure the Virtual Link. The transit area is the area shared by the border router, on which you configure the Virtual Link and the router with an interface in the backbone area. Traffic between the endpoints of the Virtual Link flow through this area..

hello-interval {default | <1-65535>}

Specifies the interval, in seconds, between hello packets that the router sends on the specified interface. For a given link, this value must be the same on all routers or adjacencies do not form.

Default: 10 seconds.

dead-interval {default | <1-4294967295>}

Specifies the number of seconds after which a router stops receiving hello packets that it declares the neighbor down. Generally, you should set this value at 4 times the value of the hello interval. Do not set the value at 0. For a given link, this value must be the same on all routers or adjacencies do not form.

Default: 40 seconds.

retransmit-interval {default | <1-4294967295>}

Specifies the number of seconds between link state advertisement transmissions for adjacencies belonging to the specified interface. This value also applies to database description and link state request packets. Set this value conservatively, that is, at a significantly higher value than the expected round-trip delay between any two routers on the attached network.

Default: 5 seconds.

authtype

cryptographic key <key> algorithm <algorithm> secret <secret>

none

simple <password>

Specifies which type of authentication scheme to use for a given OSPF link. This feature guarantees that routing information is accepted only from trusted routers.

In general, all routers on an OSPF interface or link must agree on the OSPF authentication settings to form OSPF adjacencies. The OSPF authentication algorithm creates a crypto checksum of an OSPF packet and an authentication key. The receiving router performs a calculation using the correct authentication key and discards the OSPF packet, if the key does not match. In addition, the receiving router keeps a sequence number to prevent the replay of older OSPF packets.

Options are:

• none: Does not authenticate OSPF packets.

  This is the default option.

• simple: Provides little protection, because the key is sent in the clear, and it is possible to capture packets from the network and learn the authentication key. Uses an alphanumeric key from 1 to 8 characters.

• cryptographic: Provides much stronger protection with the OSPFv2 HMAC-SHA authentication (RFC 5709). Authentication guarantees that routing information is accepted only from trusted routers. This OSPFv2 HMAC-SHA authentication is backward-compatible with the OSPFv2 MD5 authentication feature.

  For cryptographic authentication, you must configure at least one key - with Key ID, Algorithm, and Secret.

  If you configure multiple keys:

  • When transmitting OSPF packets, Gaia uses the key with the highest Key ID. Gaia includes a message digest or message authentication code in the outgoing OSPF packets to enable receivers to authenticate them.
  • When transmitting OSPF packets, Gaia accepts all the keys.

  Configuration:

  • key - Enter an integer value from 1 to 255.
  • algorithm - Select a cryptographic authentication algorithm. The available algorithms are listed in the decreasing order of their cryptographic strength:

    Important - Both OSPF sides must agree on these settings for the OSPF authentication to work.

    • hmac-sha-512 - Provides a cryptographic SHA-512 hash based on the configured secret.
    • hmac-sha-384 - Provides a cryptographic SHA-384 hash based on the configured secret.
    • hmac-sha-256 - Provides a cryptographic SHA-256 hash based on the configured secret. We recommend this algorithm for best interoperability.
    • hmac-sha-1 - Provides a cryptographic SHA-1 hash based on the configured secret.
    • md5 - Provides a cryptographic MD5 hash based on the configured key.
  • secret - Enter a shared secret for cryptographic authentication.
    • For HMAC - Alphanumeric key from 1 to 80 characters.
    • For MD5 - Alphanumeric key from 1 to 16 characters.

show ospf

instance <OSPF_instance_number>

border-routers

database

area {backbone | <area_id>}

areas [detailed]

asbr-summary-lsa [detailed]

checksum

database-summary

detailed

external-lsa [detailed]

network-lsa [detailed]

nssa-external-lsa [detailed]

opaque-lsa [detailed]

router-lsa [detailed]

summary-lsa [detailed]

type {1 | 2 | 3 | 4 | 5 | 6 | 7}

errors {dd | hello | ip | lsack | lsr | lsu | protocol}

events

interface <interface_name> [detailed | stats]

interfaces [detailed | stats]

neighbor <neighbor_IP> [detailed]

neighbors [detailed]

packets

routemap

summary

show ospf instance <OSPF_instance_number> neighbors [detailed]

show route ospf