Advertise a Default Route in OSPF NSSA on PAN-OS: Supported Methods and Limitations

Advertise a Default Route in OSPF NSSA on PAN-OS: Supported Methods and Limitations

812
Created On 12/11/25 17:54 PM - Last Modified 02/13/26 11:32 AM


Symptom


  • In deployments where a firewall is expected to advertise a default route (0.0.0.0/0) into an OSPF NSSA area, administrators may attempt to redistribute the default route from another routing protocol (such as BGP or static routes) into OSPF using redistribution policies.
  • However, in PAN-OS, you may observe that the default route does not appear in the OSPF LSDB of the NSSA area, even though:

    • The default route exists in the routing table

    • The route is present in the BGP table

    • Redistribution policies are correctly applied between BGP and OSPF

 

  • Example output showing the default route present in BGP.
admin@Lab33-207-PA-5440-DUT> show advanced-routing bgp route
     Status codes: R removed, d damped, * valid, r ribFailure, S stale, = multipath,
        s suppressed, i internal, > best, h history
        Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
        Origin codes: e egp, i igp, ? incomplete

        Logical router: Internet
        BGP table version is 11, local router ID is 1.1.1.3, vrf ID 0
        Default local pref 100, local AS 65004
        ----------------------------------------------------------------------------------
        Network Next Hop Metric LocPrf Weight Path
        *> 0.0.0.0/0 100.100.100.2 0 0 65001 65002 ? <<Default-route present inside bgp table
        *> 10.10.1.0/30 100.100.100.2 0 0 65001 65002 ?
        *> 10.10.2.0/30 100.100.100.2 0 0 65001 65002 ?
  • Despite a correct redistribution policy configuration, the default route is absent in the OSPF NSSA LSDB:

admin@Lab33-207-PA-5440-DUT> show advanced-routing ospf lsdb
       total route shown: 11
       Internet 0.0.0.1 router         1.1.1.3        1.1.1.3        80000004   5258   421  36 << Default-route missing
       Internet 0.0.0.1 nssa-external  1.1.1.3        10.10.1.0/30   80000001   584f   420  36
       Internet 0.0.0.1 nssa-external  1.1.1.3        10.10.2.0/30   80000001   4d59   420  36

 

Environment


Product_versions

• PAN-OS: 11.1.6-h3
• PAN-OS: 11.1.10-h4
• PAN-OS: 11.1.10-h10
Hardware Details

• PA
Network Config

• OSPF
• NSSA

 

 

 

Cause


On Palo Alto firewalls, advertising a default route (0.0.0.0/0) into an OSPF NSSA area is not reliably supported through standard redistribution policies. Even when a default route exists in the routing table (for example, learned via BGP or configured statically), PAN-OS does not consistently redistribute it into NSSA and does not generate a Type-7 LSA for it.

This behavior is intentional. Injecting a default route can significantly impact downstream routing, so PAN-OS requires an explicit and controlled configuration for this use case. As a result, redistribution alone should not be relied upon for advertising 0.0.0.0/0 into an NSSA.

default-information-originate enable

All other prefixes can be redistributed normally; the default route must be explicitly originated.

 

Resolution


  1. set network logical-router <name> vrf <name> ospf area <name> type nssa default-information-originate

 

 

Additional Information


This behavior is specific to PAN-OS design and implementation. Other vendors may handle default route advertisement into OSPF NSSA areas differently depending on their platform logic and configuration model.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000kAf6KAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail