Create core elements for dynamic routing

Create the elements that contain dynamic routing configuration information. The elements can be used in multiple Firewalls, Virtual Firewalls, and Firewall Clusters.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration.
  2. Browse to Other Elements > Dynamic Routing Elements.
  3. Browse to BGP Elements, OSPFv2 Elements, or PIM Elements.
  4. Right-click the type of element that you want to create, then select New <element type>.
  5. Adjust the properties as needed, then click OK.

BGP Profile Properties dialog box

Use this dialog box to create a BGP Profile element.

For information about Quagga syntax, see http://⁠www.nongnu.org/quagga/docs.html.

Option Definition
General tab
Name The name of the element.
Port The port to use for BGP communications.
Comment

(Optional)

A comment for your own reference.
Category

(Optional)

Includes the element in predefined categories. Click Select to select a category.
Option Definition
Distance tab
External (eBGP) Enter the administrative distance for external BGP routes.
Internal (iBGP) Enter the administrative distance for internal BGP routes.
Local (Aggregation) Enter the administrative distance for local BGP routes.
Subnets table

Click Add to add a row to the table, or Remove to remove the selected row.

Subnet Double-click the cell to select a network element that represents the subnet to aggregate.
Administrative Distance Enter the administrative distance of the subnet.
Option Definition
Redistribution tab
Redistribute routes from table

Select the check box next to the sources from where you want to redistribute routes.

Source The available sources are:
  • Kernel — Uses the redistribute kernel command.
  • Static — Uses the redistribute static command.

    If selected, the SMC sends the routes generated in routing to Quagga to be distributed in a static way. NetLink routes are skipped, and routes using dynamic interfaces are currently not supported.

  • Connected — Uses the redistribute connected command.
  • OSPFv2 — Uses the redistribute ospf command.
Filter Double-click the cell to select a route map that you want to use as a filter.
Seed Metric If you do not want to use an automatic seed metric value, enter the value for the redistribute <source> metric command.
Option Definition
Aggregation tab

Click Add to add a row to the table, or Remove to remove the selected row.

Subnet Double-click the cell to select a network element that represents the subnet to aggregate.
Aggregation Mode Uses the aggregate-address command. Select from the following:
  • Aggregate — Uses the aggregate-address $ command.
  • Aggregate with AS Set — Uses the aggregate-address $ as-set command.
  • Summary Only — Uses the aggregate-address $ summary-only command.
  • Aggregate with AS Set and Summary — Uses the aggregate-address $ as-set summary-only command.

Autonomous System Properties dialog box

Use this dialog box to create an Autonomous System element.

Option Definition
Name The name of the element.
Autonomous System (AS) Number Enter the Autonomous System (AS) number in decimal notation. Move the mouse cursor over the number to see the number in dot notation.
Comment

(Optional)

A comment for your own reference.
Category

(Optional)

Includes the element in predefined categories. Click Select to select a category.

BGP Peering Properties dialog box

Use this dialog box to create a BGP Peering element.

For information about Quagga syntax, see http://⁠www.nongnu.org/quagga/docs.html.

Option Definition
General tab
Name The name of the element.
Connection Profile To select the BGP Connection Profile to use, click Select.
TCP MD5 Password Enter the TCP MD5 password used to authenticate to other BGP peers. Uses the command password $. If you do not enter a password, the password defined in the BGP Connection Profile is used. By default, passwords and keys are not shown in plain text. To show the password or key, deselect the Hide option.
Note: The password is shown in plain text when previewing the configuration in Quagga format.
Filter Type The type of filter to use as an inbound or outbound filter.
Inbound Filter Double-click the cell to select the Access List or Route Map to use as an inbound filter.
Outbound Filter Double-click the cell to select the Access List or Route Map to use as an outbound filter.
Comment

(Optional)

A comment for your own reference.
Category

(Optional)

Includes the element in predefined categories. Click Select to select a category.
Option Definition
Advanced tab
Local AS (eBGP Only) Uses the local-as command. Select from the following:
  • Not Set — The command is not used.
  • prepend — Uses the local-as $ command.
  • no-prepend — Uses the local-as $ no-prepend command.
  • no-prepend and replace as — Uses the local-as $ no-prepend replace-as command.
If you select prepend, no-prepend, or no-prepend and replace as, enter the Autonomous System (AS) number in decimal notation in the field to the right. Move the mouse cursor over the number to see the number in dot notation.
Maximum Prefix Uses the maximum-prefix command. Select from the following:
  • Not Enabled — The command is not used.
  • Enabled — Uses the maximum-prefix $ command.
  • Warning Only — Uses the maximum-prefix $ warning-only command.
If you select Enabled or Warning Only, enter the value (1-128) in the field to the right.
Send Community Uses the send-community command. Select from the following:
  • No — The command is not used.
  • Standard — Uses the send-community standard command.
  • Extended — Uses the send-community extended command.
  • Standard and Extended — Uses the send-community both command.
Connected Check Uses the disable-connected-check command. Select from the following:
  • Disabled — The command is used.
  • Enabled — The command not used.
  • Automatic — The command is not used when the BGP Peering element is added to a directly connected network. Otherwise, it is used.
TTL Check Mechanism Select from the following:
  • Disabled — There is no TTL check.
  • TTL Security — Uses the ttl-security command.
  • eBGP Multihop — Uses the ebgp-multihop command.
If you selected TTL Security or eBGP Multihop, and you do not want the hops value to be calculated automatically, manually enter the value in the Hops Value field.
Remove Private AS (eBGP Only) Uses the remove-private-AS command.
Soft Reconfiguration Inbound Uses the soft-reconfiguration inbound command.
Don't Send Capabilities Uses the dont-capability-negotiate command.
Override Received Capabilities Uses the override-capability command.
Route Reflector Client (iBGP Only) Uses the route-reflector-client command.
Next Hop Self Uses the next-hop-self command.
Outbound Route Filtering (ORF) Uses the capability orf prefix-list command. Select from the following:
  • Disabled — The command is not used.
  • Send — Uses the capability orf prefix-list send command.
  • Receive — Uses the capability orf prefix-list receive command.
  • Send and Receive — Uses the capability orf prefix-list both command.
IP Prefix Access List Shows the Prefix list to be used for the Send and Send and Receive options for the Outbound Route Filtering (ORF) command. To select the IP Prefix Access List to use, select the Access List as the inbound filter on the General tab.
Bidirectional Forwarding Detection

When selected, enables bidirectional forwarding detection (BFD).

Interval (ms) The interval at which the NGFW Engine sends BFD control packets. The default is 1800 milliseconds.
Min RX (ms) The length of time that the NGFW Engine waits for a reply. If the NGFW Engine does not receive a reply within the specified length of time, the neighbor is considered to have failed.

The default is 400 milliseconds.

Multiplier A numeric value from 1 to 20 that used in BFD failure detection. The default is 3.
Passive Mode When selected, the NGFW Engine does not send BFD control packets unless it receives at least 1 valid packet from a neighbor.

BGP Connection Profile Properties dialog box

Use this dialog box to create a BGP Connection Profile element.

Option Definition
Name The name of the element.
TCP MD5 Password Enter the TCP MD5 password used to authenticate to other BGP peers. By default, passwords and keys are not shown in plain text. To show the password or key, deselect the Hide option.
Note: The password is shown in plain text when previewing the configuration in Quagga format.
Timer Settings section
Session Keep Alive Timer Enter the value for the timers <keep alive value> <hold value> command in seconds.
Session Hold Timer Enter the value for the timers <keep alive value> <hold value> command in seconds.
Connect Retry Timer Enter the value for the timers connect $ command in seconds.
Comment

(Optional)

A comment for your own reference.
Category

(Optional)

Includes the element in predefined categories. Click Select to select a category.

External BGP Peer Properties dialog box

Use this dialog box to create an External BGP Peer element.

Option Definition
Name The name of the element.
IP Address The IP address of the external BGP Peer.
Port The port used to send the BGP routing information.
Autonomous System (AS) Select the Autonomous System element to use.
Comment

(Optional)

A comment for your own reference.
Category

(Optional)

Includes the element in predefined categories. Click Select to select a category.

OSPFv2 Domain Settings dialog box

Use this dialog box to create an OSPFv2 Domain Settings element.

For information about Quagga syntax, see http://⁠www.nongnu.org/quagga/docs.html.

Option Definition
Name The name of the element.
ABR Type Set the value for ospf abr-type. If an area border router (ABR) does not have a working connection to area 0 by the standard definition, it should not consider routes through non-backbone areas as valid.
  • Cisco — Uses an alternative algorithm as documented in RFC 3509. This option allows routing though non-backbone areas when the backbone link is down.
  • Standard — Uses the standard as defined in RFC 2328.
  • Shortcut — Allows routing through non-backbone areas when they offer a better route. For details, see https://⁠www.ietf.org/archive/id/draft-ietf-ospf-shortcut-abr-02.txt.
Throttle Timer Settings section

Throttle timers define the time between consecutive shortest path first (SPF) calculations. The initial delay is the time between an event triggering SPF calculation and the calculation being complete.

Hold timers define the delay between SPF calculations. The timer increases from the initial hold time until the maximum hold time is reached. The hold time resets if SPF calculation is not triggered in adaptive hold time. This feature prevents SPF calculations from consuming resources.

Initial delay Set the value for the timers throttle spf delay command in milliseconds.
Initial Hold Time Set the value for the timers throttle spf initial-holdtime command in milliseconds.
Max Hold Time Set the value for timers throttle spf max-holdtime in milliseconds.
Max Metric Router LSA section

The link-state advertisement (LSA) metric settings can be used to route traffic around a router while it starts up or shuts down. This option causes transit links to be advertised at an infinite distance, causing the rest of the network to use alternative routes. This option requires redundant routes to be available.

On Startup Set the value for the max-metric router-lsa on-startup command in seconds.
On Shutdown Set the value for the max-metric router-lsa on-shutdown command in seconds.
Auto-Cost Reference Bandwidth Set the value for the auto-cost reference-bandwidth command in megabits per second. This value is used in OSPF cost calculation.
Deprecated Path Reference Algorithm (RFC 1583 Compatibility) Select this option for compatibility with RFC 1583. This option removes the routing loop prevention mechanism defined in RFC 2328. We do not recommend selecting this option.
Comment

(Optional)

A comment for your own reference.
Category

(Optional)

Includes the element in predefined categories. Click Select to select a category.

OSPFv2 Profile dialog box

Use this dialog box to create an OSPFv2 Profile element.

Option Definition
General tab
Name The name of the element.
OSPFv2 Domain Settings Select the OSPFv2 Domain Settings element to use.
Comment

(Optional)

A comment for your own reference.
Category

(Optional)

Includes the element in predefined categories. Click Select to select a category.
Option Definition
Distance tab Intra area settings affect routes in the same area. Inter area settings affect routes advertised to other areas. The external distance changes the administrative distance of redistributed routes.
Intra Area Distance (O) Enter the distance value for the intra-area command.
Inter Area Distance (O IA) Enter the distance value for the inter-area command.
External Distance (E1-E2) Enter the distance value for the external command.
Option Definition
Redistribution tab

Use this tab to redistribute external routes to OSPF.

Default Metric Enter the value for the default-metric command.
OSPF Redistribute routes from table

Select the check box next to the sources from where you want to redistribute routes.

Source The available sources are:
  • Kernel — Uses the redistribute kernel command.
  • Static — Uses the redistribute static command.

    If selected, the SMC sends the routes generated in routing to Quagga to be distributed in a static way. NetLink routes are skipped Routes using dynamic interfaces are currently not supported.

  • Connected — Uses the redistribute connected command.
  • BGP — Uses the redistribute bgp command.
  • Default Originate — Uses the default-information originate command.
Filter Double-click the cell to select a route map or IP access list that you want to use as a filter.
Metric Type Select the value for the redistribute <source> metric-type $ command.
Seed Metric If you do not want to use an automatic seed metric value, enter the value for the redistribute <source> metric command.

OSPFv2 Interface Settings dialog box

Use this dialog box to create an OSPFv2 Interface Settings element.

Option Definition
General tab
Name The name of the element.
Authentication Type Select the type of authentication to use. If you select Password, enter the password in the Password field. If you select Message Digest, select an OSPV2 Key Chain element to use.
Comment

(Optional)

A comment for your own reference.
Category

(Optional)

Includes the element in predefined categories. Click Select to select a category.
Option Definition
Advanced tab
Interface Cost Enter the interface cost value for the cost command.
Router Priority Enter the value for the priority command.
Retransmit Interval Enter the value for the retransmit-interval command in seconds.
Transmit Delay Enter the value for the transmit-delay command in seconds.
MTU mismatch detection Select this option to use the mtu-ignore option.
Hello Interval Type Select the type of hello interval to use.
  • Normal — You can enter the frequency that hello packets are sent in the Hello Interval field.
  • Fast Hello — The hello packets can be sent at more frequent intervals. Select the multiplier from the Dead Interval Multiplier drop-down list.
Hello Interval

(When Hello Interval Type is Normal)

Enter the value for the hello-interval command in seconds.
Dead Interval Multiplier

(When Hello Interval Type is Fast Hello)

Select a value from 1-10. The value for the dead-interval command is multiplied by this value.
Dead Interval Enter the value for the dead-interval command in seconds.

When Hello Interval Type is Fast Hello, the value is 1 second.

OSPFv2 Area dialog box

Use this dialog box to create an OSPFv2 Area element.

Option Definition
General tab
Name The name of the element.
Area ID Enter the ID for the area.
Area Type Select the type of area to use.
  • Normal — The area type is normal, as defined in RFC 2328.
  • Stub — The area type is stub.
  • Not so stubby — The area type is not so stubby, as defined in RFC 3101.
  • Totally stubby — The area type is totally stubby.
  • Totally nssa — The area type is totally not so stubby.
Default Interface Settings Select the OSPFv2 Interface Settings element to use for the OSPFv2 area.
Comment

(Optional)

A comment for your own reference.
Category

(Optional)

Includes the element in predefined categories. Click Select to select a category.
Option Definition
ABR tab

Click Add to add a row to the table, or Remove to remove the selected row.

Subnet To select the network, double-click the Subnet cell.
Summarized for other areas Select from the following options for the summary-address command:
  • Aggregate — Summarizes intra area paths from the specified area into one Type-3 summary-LSA that is announced to other areas.
  • Not-advertise — Uses the not-advertise option. Instead of summarizing intra area paths, they are filtered. The paths are not advertised to other areas.
  • Substitute with — Substitutes a summarized prefix with another prefix. Select the Network element to use as a substitute.
Area Default Cost Enter the value for the default-cost command.
Shortcut capable Area Uses the shortcut option.
Filter table

Select inbound and outbound filters for the IP Access List and IP Prefix List.

Option Definition
Virtual Links tab

Click Add to add a row to the table, or Remove to remove the selected row.

Add the router IDs for endpoints A and B. To use an alternative OSPFv2 Interface Settings element, double-click the Interface Settings cell.

OSPFv2 Key Chain dialog box

Use this dialog box to create an OSPFv2 Key Chain element.

Option Definition
Name The name of the element.
Key Chain table

Click Add to add a row to the table, or Remove to remove the selected row.

Send Key When you have several rows of keys, select which key is valid.
Key ID A unique identifier for the key.
Key Enter the key.
Comment

(Optional)

A comment for your own reference.
Category

(Optional)

Includes the element in predefined categories. Click Select to select a category.

PIM Profile Properties dialog box

Use this dialog box to create a PIM Profile element.

Option Definition
General tab
Name The name of the element.
PIM Profile table

Click Add to add a row to the table, or Remove to remove the selected row.

Multicast Group Enter a multicast IPv4 network.
PIM Mode Select from the following:
  • PIM-SM — Uses PIM sparse mode.
  • PIM-SSM — Uses PIM source-specific mode.
  • PIM-DM — Uses PIM dense mode.
RP or Mapping

(When PIM Mode is PIM-SM or PIM-SSM)

Enter the rendezvous point (RP) IP address for PIM-SM or define the mapping for PIM-SSM.
  • When PIM-SM is used, enter a unicast IPv4 address to use as the RP. Leave the cell blank to dynamically use the bootstrap router (BSR) settings.
    Note: Configure the BSR settings in the Engine Editor only if you want to use the firewall as a BSR or RP candidate.
  • When PIM-SSM is used, enter a unicast IPv4 address or domain name suffix to be the source address for any multicast traffic from the defined multicast group. If a domain name suffix is used, the DNS resolving combines the suffix and the group to determine the source address. IGMPv2 queries can be automatically mapped to IGMPv3. If the field is left blank, SSM mapping is not performed, and IGMPv3 is used by default.
Comment

(Optional)

A comment for your own reference.
Category

(Optional)

Includes the element in predefined categories. Click Select to select a category.
Option Definition
Advanced tab
Hello Interval Enter how often hello messages are sent in seconds.
Join-Prune Interval Enter how often joined/prune messages are sent in seconds.
SPT Switch Threshold This setting determines when to switch from a shared tree that routes through a designated router (DR), to a shortest-path tree (SPT).

Select the unit from the drop-down list.

  • Kbit/s — After the specified network speed is reached, the routing switches to the SPT.
  • Packets — After the specified number of packets is sent, the routing switches to the SPT.
  • Infinite — The routing never switches to the SPT.
SPT Switch Interval Enter how frequently the SPT switch threshold state is checked in seconds.
Smart Multicast Antispoofing When selected, antispoofing rules are automatically configured to avoid inadvertently blocking multicast traffic. We recommend that you enable this option.

PIM Interface Settings dialog box

Use this dialog box to create a PIM Interface Settings element.

Option Definition
Name The name of the element.
IGMP Settings Select an IGMP Querier Settings element. The element defines the IGMP version and query parameters.
DR Priority Enter the designated router (DR) priority that is advertised in hello messages.
ZBR for Groups Enter multicast groups for zone border routers (ZBR). To enter multiple multicast groups, separate them with a comma. The listed multicast groups do not pass through the interface.
Random Delay Enter the random delay before hello messages are sent. The delay prevents PIM routers from receiving multiple hello messages at the same time.
Comment

(Optional)

A comment for your own reference.
Category

(Optional)

Includes the element in predefined categories. Click Select to select a category.

IGMP Querier Settings dialog box

Use this dialog box to create an IGMP Querier Settings element.

Option Definition
Name The name of the element.
IGMP Version Select the version of IGMP to use.
Query Interval Enter how often the hello packet is sent in seconds. This option is not supported when IGMP Version is IGMPv1.
Robustness Enter the robustness value. If you expect packet loss in the network, increase this value to send more IGMP messages. This option is not supported when IGMP Version is IGMPv1 or when the IGMP Querier Settings element is used for PIM.
Comment

(Optional)

A comment for your own reference.
Category

(Optional)

Includes the element in predefined categories. Click Select to select a category.