OSPF Link State Database Overload Protection for Palo Alto Firewall

mskpalo — Fri, 22 Jul 2016 07:50:43 GMT

Hi,

We're migrating from a Cisco ASA to a Palo Alto firewall device. I had a query about the OSPF Link State Database Overload Protection for the Palo Alto Firewall

The Cisco ASA firewall provides OSPF Link State Database Overload Protection using the max-lsa command

Here is the Cisco reference: http://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/ospfopro.html

“To limit the number of nonself-generated link-state advertisements (LSAs) that an Open Shortest Path First (OSPF) routing process can keep in the OSPF link-state database (LSDB), use the max-lsa command in router configuration mode. To remove the limit of non self-generated LSAs that an OSPF routing process can keep in the OSPF LSDB, use the no form of this command.”

I could not find the equivalent protection in a Palo Alto firewall

Please could you let me know

How I can configure OSPF Link State database overload protection from the web interface?
What is the equivalent command/CLI entry for this?

Here is my existing Palo Alto Configuration

=====================

=====================

Re: OSPF Link State Database Overload Protection for Palo Alto Firewall

pulukas — Sat, 23 Jul 2016 12:57:57 GMT

Unfortunately, this parameter is not availabe in the current PanOS releases.

You can discuss with your sales engineer either adding a feature request for a future release or if one alreadly exists adding your company vote for the feature.

Re: OSPF Link State Database Overload Protection for Palo Alto Firewall

mskpalo — Sat, 23 Jul 2016 20:14:16 GMT

Thanks @pulukas for the reply. Are there any other features we could implement to secure the OSPF Link State Database in Palo Alto Firewalls?

Re: OSPF Link State Database Overload Protection for Palo Alto Firewall

pulukas — Sun, 24 Jul 2016 17:05:35 GMT

If the primary concern is security, you can use md5 authentication for the neighbor relationships.

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-OSPF-Authentication/ta-p/52330

Re: OSPF Link State Database Overload Protection for Palo Alto Firewall

mskpalo — Sun, 24 Jul 2016 22:43:32 GMT

Thanks a lot for the support

topic Re: OSPF Link State Database Overload Protection for Palo Alto Firewall in General Topics

OSPF Link State Database Overload Protection for Palo Alto Firewall

Re: OSPF Link State Database Overload Protection for Palo Alto Firewall

Re: OSPF Link State Database Overload Protection for Palo Alto Firewall

Re: OSPF Link State Database Overload Protection for Palo Alto Firewall

Re: OSPF Link State Database Overload Protection for Palo Alto Firewall