Hello guys, today I would like to talk you about how to migrate dynamic routing configuration on Forcepoint Firewalls (older Stonegate) from Quagga (open source routing sub-module for Linux) to SMC.

From the begginings Stonegate Firewalls used Quagga in order to configure dynamic routing protocols but since Forcepoint came on the scene, they introduce BGP over SMC in his first release (5.9.0 in June 23, 2015) and then introduce OSPF in the following major reléase (6.0.0 in April 11, 2016).

Today both options are available to use, Quagga over CLI Linux sub-module and over SMC. The major inconvenience for Quagga is that they is not readable over SMC, only by CLI, because of this is better to use SMC as a properly Management Center as centralized point of management for all features, including dynamic routing.

Now let´s go to see and example of migration OSPF from Quagga to SMC:

Quagga config source to migrate:

Well, in order to migrate the config above, we must perform the following steps:

A. First of all we must configure all objects in SMC:

• Access-lists.

• OSPF profile/s.

• Interface/s Settings.

• Area/s.

Access-list: Menu ==> Dynamic Routing ==> IP Access List:

We create a new one and insert the same ACLs that appears in Quagga:

2. Create OSPF profile:

Then, we must créate an OSPF profile in NGFW ==> Other Elements ==> Dynamic Routing Elements ==> OSPFv2 Elements ==> OSPFv2 Profiles

In this case, we call it “QUAGGA_migration_profile”:

We can use de default OSPF Domain settings in that case

And here we apply the redistribution sources and acces-list previously created as a filter:

3. Configure OSPF interface Settings: Create two OSPF Interface Settings, one per interface, because it has different configuration (hello intervals, priority, cost, etc.):

Once created, we named and we can config authentication (not in that case)

And Finally we set the hello/dead intervals, cost, priority, etc.

4. Create OSPF Area/s. Finally, we create Area/s object like this:

We have to create two in order to assign each Interface settings we created before to each Area objetc.

And finally we set the networks we want to announce

B. We must enable OSPF :

• Enable OSPF in SMC globally.

• Assign Area Objetc to interfaces.

1. Enable OSPF in SMC globally. We have to edit the Firewall Cluster objetc:

And we have to first, enable OSPF globally and then set the OSPF id and profile:

2. Assign Area Objetc to interfaces. We have to insert the Area object under interface we want to be part of OSPF:

C. Policy Install.

Finally, once all changes are performed, we need to do a policy install in order to apply all changes as always.

NOTE: In case of Dynamic routing, when it is configured and applied from SMC it overrides Quagga config, so, please, do not forget to take a quagga backup before!!

That's all for today, see you at next post!!