https://live.paloaltonetworks.com/t5/general-topics/ospf-lsa-threshold-security-finding/m-p/158532#M51865 <P>Got the same reply in the notes of a&nbsp;case opened with PAN support. &nbsp;They must have been looking over your shoulder. &nbsp;Sent email to our SE and will follow up with same.</P> Fri, 26 May 2017 19:50:45 GMT NetWright 2017-05-26T19:50:45Z https://live.paloaltonetworks.com/t5/general-topics/ospf-lsa-threshold-security-finding/m-p/145632#M49076 <P>Wondering if there's a way to configure a threshold for OSPF LSA updates/messages?<BR />Or if such a threshold is already in place by default on Palo Alto firewalls. &nbsp;</P><P>Something that can maybe drop anything more than say 7 LSA messages in 5 minutes.<BR />Apparently, there's a security threat related to a device getting DOS'd by an overwhelming flow of LSA messages and our security consultant wants us to configure a threshold to drop more than x number of LSA messages in a given period.<BR /><BR />I see there's an LSA interval like this:</P><TABLE border="0" cellspacing="0" cellpadding="0"><TBODY><TR><TD><DIV class="TB1_TableBullet_inner">•</DIV></TD><TD><DIV class="TB1_TableBullet_inner"><SPAN>LSA Interval (sec)</SPAN>—The option specifies the minimum time between transmissions of two instances of the same LSA (same router, same type, same LSA ID). This is equivalent to MinLSInterval in RFC 2328. Lower values can be used to reduce re-convergence times when topology changes occur.</DIV></TD></TR></TBODY></TABLE><P>&nbsp;</P><P>Yet that doesn't seem to address the issue of an overwhelming number of updates being sent maliciously.<BR /><BR />For comparison on the Cisco-side there's a concept of:&nbsp;</P><P><FONT face="arial,helvetica,sans-serif" size="2">"OSPF Link-State Database Overload Protection"&nbsp;<BR />which is configured with this command in the OSPF router process:<BR /><STRONG>max-lsa</STRONG> <EM>maximum-number</EM><SPAN> [</SPAN><EM>threshold-percentage</EM><SPAN>] [</SPAN><STRONG>warning-only</STRONG><SPAN>] [</SPAN><STRONG>ignore-time</STRONG> <EM>minutes</EM><SPAN>] [</SPAN><STRONG>ignore-count</STRONG> <EM>count-number</EM><SPAN>] [</SPAN><STRONG>reset-time</STRONG> <EM>minutes</EM><SPAN>]</SPAN><BR /></FONT></P> Wed, 01 Mar 2017 21:52:18 GMT https://live.paloaltonetworks.com/t5/general-topics/ospf-lsa-threshold-security-finding/m-p/145632#M49076 NetWright 2017-03-01T21:52:18Z https://live.paloaltonetworks.com/t5/general-topics/ospf-lsa-threshold-security-finding/m-p/148336#M49566 <P>No, these parameters are not available in PanOS. &nbsp;You could contact your sales engineer to see if there is an existing FR (Feature Request) on file for this and have them add a vote or create one. &nbsp;If it is new tell them it is covered under RFC 5286 for implementation.</P><P>&nbsp;</P><P>But remember that Palo Alto is a security company here that also does routing. &nbsp;So the pace of feature implementation on the routing side can be on the slow side.</P> Sun, 19 Mar 2017 16:22:29 GMT https://live.paloaltonetworks.com/t5/general-topics/ospf-lsa-threshold-security-finding/m-p/148336#M49566 pulukas 2017-03-19T16:22:29Z https://live.paloaltonetworks.com/t5/general-topics/ospf-lsa-threshold-security-finding/m-p/158532#M51865 <P>Got the same reply in the notes of a&nbsp;case opened with PAN support. &nbsp;They must have been looking over your shoulder. &nbsp;Sent email to our SE and will follow up with same.</P> Fri, 26 May 2017 19:50:45 GMT https://live.paloaltonetworks.com/t5/general-topics/ospf-lsa-threshold-security-finding/m-p/158532#M51865 NetWright 2017-05-26T19:50:45Z