FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff
Article Id 189487

Purpose

This article describes the basic steps to configure FortiGates in an OSPF scenario where the FortiGates will be ABR and ASBR OSPF routers across 3 areas.

It includes the network diagram, requirements, configuration, and routing tables of all FortiGates.

Scope
•    All FortiGate models
•    FortiGate or VDOMs in NAT mode only
•    FortiOS v4.0 and v3.0

Diagram
The following network diagram will be used for this example :

rmetzger_100138_100138-ospf_asbr_abr.jpg




Expectations, Requirements
•    FGT1 has a static default route and multiple other static routes that we do not want to inject into area 0.0.0.2, hence the use of a STUB area (see #1# )
•    FGT1 will become automatically ASBR as it will advertise those static routes into area 0.0.0.1 (see
#2# )
•    FGT1 will also be automatically ABR as it is the border router between all 3 areas
•    FGT1 should announce a default route into area 0.0.0.1 and 0.0.0.2 only if it has a default route in the routing table (see
#3# )
•    All locally connected interfaces must have OSPF enabled and the corresponding subnet be advertised as OSPF internal routes (not external) (see
#4# )


NOTE The use of loopback interfaces in this OSPF design is a simple rule that eases the OSPF troubleshooting and administration, where we will set the OSPF router ID identically to the loopback interface

TECH TIP To enable OSPF on an interface, you only need to add it into the prefix list (see  #4#). To enable all interfaces with a single setting, you can use the prefix “0.0.0.0/0.0.0.0”
Configuration
NOTE : Only the relevant parts of the configuration are given (interfaces and OSPF settings)

•    FGT1

config system interface
    edit "internal"
        set vdom "root"
        set ip 192.168.182.151 255.255.254.0
        set allowaccess ping https ssh http telnet
        set type physical
    next

    edit "port1"
        set vdom "root"
        set ip 10.141.0.151 255.255.254.0
        set allowaccess ping https ssh http telnet
        set type physical
    next

   edit "port8"
        set vdom "root"
        set ip 10.142.0.151 255.255.254.0
        set allowaccess ping https ssh http telnet
        set type physical
    next

    edit "lback1"
        set vdom "root"
        set ip 10.0.0.1 255.255.255.255
        set type loopback

config router static
    edit 1
        set device "internal"
        set gateway 192.168.183.254
    next
    edit 2
        set device "internal"
        set dst 10.5.2.0 255.255.255.0
        set gateway 192.168.183.254
    next
    edit 3
        set device "internal"
        set dst 10.6.2.0 255.255.255.0
        set gateway 192.168.183.254
    next
    edit 4
        set device "internal"
        set dst 10.6.3.0 255.255.255.0
        set gateway 192.168.183.254
    next
    edit 5
        set device "internal"
        set dst 10.6.6.0 255.255.255.0
        set gateway 192.168.183.254
    next
end

config router ospf
        config area
            edit 0.0.0.0
            next
            edit 0.0.0.1
                set authentication md5
            next
            edit 0.0.0.2
                set type stub   
#1#
            next
        end
    set default-information-originate enable  
#3#
        config network
            edit 1
                set area 0.0.0.2
                set prefix 10.142.0.0 255.255.0.0   
#4#
            next
            edit 2
                set area 0.0.0.1
                set prefix 10.141.0.0 255.255.0.0    
#4#
            next
            edit 3
                set prefix 10.0.0.1 255.255.255.255    
#4#
            next
            edit 4
                set prefix 192.168.182.0 255.255.254.0    
#4#
            next
        end
        config ospf-interface
            edit "area1_port1"
                set authentication md5
                set cost 10
                set interface "port1"
                set ip 10.141.0.151
                set md5-key 1 "fortinet"
            next
        end
        config redistribute "static"
            set status enable         
#2#
        end
    set router-id 10.0.0.1
end
    next

NOTE : In this FGT1 configuration, we had to create an OSPF interface for port1 (area 0.0.0.1) to access to additional parameters than the default ones.  This was not necessary for port8 (area 0.0.0.2).


•    FGT2


config system interface
    edit "internal"
        set vdom "root"
        set ip 10.2.2.1 255.255.255.0
        set allowaccess ping https
        set type physical
    next

    edit "port1"
        set vdom "root"
        set ip 10.141.0.152 255.255.254.0
        set allowaccess ping https ssh http telnet
        set type physical
    next

    edit "lback2"
        set vdom "root"
        set ip 10.0.0.2 255.255.255.255
        set type loopback
    next
end

config router ospf
        config area
            edit 0.0.0.1
                set authentication md5
            next
        end
        config network
            edit 1
                set area 0.0.0.1
                set prefix 10.141.0.0 255.255.0.0    
#4#
            next
            edit 2
                set area 0.0.0.1
                set prefix 10.2.2.0 255.255.255.0    
#4#
            next
            edit 3
                set area 0.0.0.1
                set prefix 10.0.0.2 255.255.255.255      
#4#
            next
        end
        config ospf-interface
            edit "area1_port1"
                set authentication md5
                set cost 10
                set interface "port1"
                set ip 10.141.0.152
                set md5-key 1 "fortinet"
            next
        end
    set router-id 10.0.0.2
end

NOTE : In this FGT2 configuration, we had to create an OSPF interface for port1 (area 0.0.0.1) to access to additional parameters other than the default ones.


•    FGT3


config system interface
    edit "internal"
        set vdom "root"
        set ip 10.3.3.1 255.255.255.0
        set allowaccess ping https ssh http telnet
        set type physical
    next

    edit "port8"
        set vdom "root"
        set ip 10.142.0.155 255.255.254.0
        set allowaccess ping https ssh http telnet
        set type physical
    next

    edit "lback3"
        set vdom "root"
        set ip 10.0.0.3 255.255.255.255
        set type loopback
    next
end

config router ospf
        config area
            edit 0.0.0.2
                set type stub      
#1#
            next
        end
        config network
            edit 1
                set area 0.0.0.2
                set prefix 10.142.0.0 255.255.0.0  
#4# 
            next
            edit 2
                set area 0.0.0.2
                set prefix 10.0.0.3 255.255.255.255   
#4#
            next
        end
    set router-id 10.0.0.3
end

Verification

Verify the OSPF neighbors and routing tables

•    FGT1

FGT1 # get router info ospf neighbor

OSPF process 0:
Neighbor ID     Pri   State           Dead Time   Address         Interface
10.0.0.2          1   Full/DR         00:00:35    10.141.0.152    port1
10.0.0.3          1   Full/DR         00:00:30    10.142.0.155    port8

FGT1 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [10/0] via 192.168.183.254, internal
C       10.0.0.1/32 is directly connected, lback1
O       10.0.0.2/32 [110/110] via 10.141.0.152, port1, 01:34:05
O       10.0.0.3/32 [110/110] via 10.142.0.155, port8, 01:23:04
O       10.2.2.0/24 [110/20] via 10.141.0.152, port1, 02:54:11
S       10.5.2.0/24 [10/0] via 192.168.183.254, internal
S       10.6.2.0/24 [10/0] via 192.168.183.254, internal
S       10.6.3.0/24 [10/0] via 192.168.183.254, internal
S       10.6.6.0/24 [10/0] via 192.168.183.254, internal
C       10.141.0.0/23 is directly connected, port1
C       10.142.0.0/23 is directly connected, port8
C       10.160.0.0/23 is directly connected, external
C       192.168.182.0/23 is directly connected, internal


•    FGT2

FGT2 # get router info ospf neighbor

OSPF process 0:
Neighbor ID     Pri   State           Dead Time   Address         Interface
10.0.0.1          1   Full/Backup     00:00:31    10.141.0.151    port1

FGT2 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

O*E2    0.0.0.0/0 [110/10] via 10.141.0.151, port1, 02:55:11
O IA    10.0.0.1/32 [110/110] via 10.141.0.151, port1, 01:35:18
C       10.0.0.2/32 is directly connected, lback2
O IA    10.0.0.3/32 [110/120] via 10.141.0.151, port1, 01:23:54
C       10.2.2.0/24 is directly connected, internal
O E2    10.5.2.0/24 [110/10] via 10.141.0.151, port1, 01:02:14
O E2    10.6.2.0/24 [110/10] via 10.141.0.151, port1, 01:02:14
O E2    10.6.3.0/24 [110/10] via 10.141.0.151, port1, 01:00:46
O E2    10.6.6.0/24 [110/10] via 10.141.0.151, port1, 01:00:30
C       10.141.0.0/23 is directly connected, port1
O IA    10.142.0.0/23 [110/20] via 10.141.0.151, port1, 02:55:11
C       10.160.0.0/23 is directly connected, external


•    FGT3

FGT3 # get router info ospf  neighbor

OSPF process 0:
Neighbor ID     Pri   State           Dead Time   Address         Interface
10.0.0.1          1   Full/Backup     00:00:37    10.142.0.151    port8

FGT3 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

O*IA    0.0.0.0/0 [110/20] via 10.142.0.151, port8, 02:53:09
O IA    10.0.0.1/32 [110/110] via 10.142.0.151, port8, 01:36:17
O IA    10.0.0.2/32 [110/120] via 10.142.0.151, port8, 01:35:55
C       10.0.0.3/32 is directly connected, lback3
O IA    10.2.2.0/24 [110/30] via 10.142.0.151, port8, 02:53:09
C       10.3.3.0/24 is directly connected, internal
O IA    10.141.0.0/23 [110/20] via 10.142.0.151, port8, 02:53:09
C       10.142.0.0/23 is directly connected, port8
C       10.160.0.0/23 is directly connected, external


Troubleshooting
Use the OSPF router command to check all the neighbors and LSDB :

“get router info ospf  <subcommand>”


FGT# get router info ospf ?
database          show ospf database information
interface         show ospf interfaces
route             show ospf routing table
neighbor          show ospf neighbors
border-routers    show ospf border routers
status            show ospf status
virtual-links     show ospf virtual links


For advanced troubleshooting, use the command :

FGT# diag ip router ospf all enable (or disable to stop the trace)

Related Articles

Technical Note : OSPF route redundancy over 2 VPN IPSec tunnels

Technical Tip: How to redistribute a default route in OSPF

Technical Note : simple OSPF configuration with 2 FortiGates in the same area

Technical Note : OSPF route summarization for LSAs Type3 (on ABR) and Type5 (on ASBR)

Contributors