https://live.paloaltonetworks.com/t5/general-topics/ospf-passive-interfaces-question/m-p/422643#M94081 <P>OSPF authentication is a good idea, but something we are not doing as of yet.&nbsp; &nbsp;There isn't any way for an opsf passive interface to accept any inputs or ingest routes from the passive link I'm thinking?</P> Wed, 28 Jul 2021 12:54:29 GMT Sec101 2021-07-28T12:54:29Z https://live.paloaltonetworks.com/t5/general-topics/ospf-passive-interfaces-question/m-p/422471#M94062 <P>What is best practice to advertise connected networks on a single VR where you have OSPF running and neighboring on an Internal Firewall&nbsp; interface to router, and want to advertise multiple segmented/firewalled networks directly attached the same firewall?<BR /><BR />Is it best to mark the segmented networks as Passive ospf interfaces, and allow OSPF to advertise these networks to internal router</P><P>&nbsp;</P><P>Are there any risks of rogue routers/devices&nbsp; that could be installed on a segmented section and send updates to the passive OSPF interface on the firewall?&nbsp; A passive OSPF interface won't accept incoming advertisements because an adjacency isn't established iirc.&nbsp; But there aren't any risks I'm missing on this are there?</P><P>&nbsp;</P><P>Citing below link for background information:</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXsCAK" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXsCAK</A></P> Wed, 28 Jul 2021 00:24:37 GMT https://live.paloaltonetworks.com/t5/general-topics/ospf-passive-interfaces-question/m-p/422471#M94062 Sec101 2021-07-28T00:24:37Z https://live.paloaltonetworks.com/t5/general-topics/ospf-passive-interfaces-question/m-p/422603#M94080 <P>I'd mark as passive any interface that should not form OSPF adjacences, to avoid route hijacking (either by rogue or misconfigured devices). Not sure if that's a "unviersal enough" thing to be named a "best practice", though. Authenticating OSPF can also mitigate the same problem, esp. if some of your links transit on somebody else's network or if some of your devices need to offer Anycast services and are mixed with others which should not take part in OSPF (e.g. a DNS server member of an Anycast pool on the same subnet with regular servers).</P> Wed, 28 Jul 2021 11:05:03 GMT https://live.paloaltonetworks.com/t5/general-topics/ospf-passive-interfaces-question/m-p/422603#M94080 michelealbrigo 2021-07-28T11:05:03Z https://live.paloaltonetworks.com/t5/general-topics/ospf-passive-interfaces-question/m-p/422643#M94081 <P>OSPF authentication is a good idea, but something we are not doing as of yet.&nbsp; &nbsp;There isn't any way for an opsf passive interface to accept any inputs or ingest routes from the passive link I'm thinking?</P> Wed, 28 Jul 2021 12:54:29 GMT https://live.paloaltonetworks.com/t5/general-topics/ospf-passive-interfaces-question/m-p/422643#M94081 Sec101 2021-07-28T12:54:29Z https://live.paloaltonetworks.com/t5/general-topics/ospf-passive-interfaces-question/m-p/422688#M94082 <P>Hello,</P><P>Another option is to utilize metrics. Allow the adjacencies to form and then apply metrics to the routes to that are less favorable.</P><P>Cheers!</P> Wed, 28 Jul 2021 15:06:44 GMT https://live.paloaltonetworks.com/t5/general-topics/ospf-passive-interfaces-question/m-p/422688#M94082 OtakarKlier 2021-07-28T15:06:44Z