New PA user and currently concerned

Reply
Highlighted
L4 Transporter

Re: New PA user and currently concerned

I had a rule a #2, basically said any to any OSPF allow.

 

But the issue was it was logging lots of what seems like erronous messages in the traffic log. 

 

sessions expiring with 0 bytes or session ageing out ..

 

I would have thought if the OSPF router understands ospf session the firewall would to..

 

Anyway

Highlighted
L7 Applicator

Re: New PA user and currently concerned

I'd be interested in seeing the logs you're describing.  

 

It might help to think of it this way.  The "traffic log" is a log of the packets permitted or denied by the "traffic enforcement module".  The only things you'll see here are uninteresting "firewall sessions" that say "OSPF is running between these two systems".  

 

The App-ID definition for OSPF has a built-in timeout of 30 seconds.  This means that 30 seconds after not seeing any OSPF traffic, the session is expected to age out.  

 

ospf-appid.png

 

With an "OSPF allow" security policy, log at session start, and log at session end, here's what you'd expect to see in the traffic log:

 

 

ospf-log.PNG

 

The bottom log is the session start log - so there's not "session end reason" yet.  At the time the session started, there was 1 packet sent.  30 seconds later, the session ages-out per the App-ID definition mentioned above.  In a steady state, OSPF sends periodic updates in intervals from 30 to 60 minutes.  You may get more or less logging detail depending on things like broadcast vs p2p, etc.  

In the GUI, you can see quite a few statistics for OSPF in the Virtual Routers / Runtime Stats section:

vr.png

 

The runtime stats show the current state of all routing protocols (including OSPF), but the system logs mentioned earlier, contain a history of the OSPF processes and state:

 

system-logs.png

 

Finally, there are also quite a few CLI-based commands to provide additional insight into the OSPF state:

 

admin@pa0-black_knight(active)> find command keyword ospf
show routing route destination <ip/netmask> interface <value> nexthop <ip/netmask> type <static|connect|bgp|ospf|rip> virtual-router <value
> count <1-524288> ecmp <yes|no> afi <both|ipv4|ipv6> safi <both|unicast|multicast>
show routing protocol redist ospf virtual-router <value>
show routing protocol redist ospfv3 virtual-router <value>
show routing protocol ospf summary virtual-router <value>
show routing protocol ospf area virtual-router <value>
show routing protocol ospf interface virtual-router <value>
show routing protocol ospf virt-link virtual-router <value>
show routing protocol ospf neighbor virtual-router <value>
show routing protocol ospf virt-neighbor virtual-router <value>
show routing protocol ospf lsdb virtual-router <value>
show routing protocol ospf dumplsdb virtual-router <value>
show routing protocol ospf graceful-restart virtual-router <value>
show routing protocol ospfv3 summary virtual-router <value>
show routing protocol ospfv3 area virtual-router <value>
show routing protocol ospfv3 interface brief <yes|no> virtual-router <value>
show routing protocol ospfv3 virt-link virtual-router <value>
show routing protocol ospfv3 neighbor brief <yes|no> virtual-router <value>
show routing protocol ospfv3 virt-neighbor brief <yes|no> virtual-router <value>
show routing protocol ospfv3 lsdb scope <link-local|area-local|as-local|all> adv-rtr <ip/netmask> area-id <ip/netmask> lsa-id <ip/netmask>
hexdump <yes|no> filter-type-area <inter-area-prefix|inter-area-router|intra-area-prefix|network|router|nssa> virtual-router <value>
show routing protocol ospfv3 dumplsdb scope <link-local|area-local|as-local|all> adv-rtr <ip/netmask> area-id <ip/netmask> lsa-id <ip/netma
sk> hexdump <yes|no> filter-type-area <inter-area-prefix|inter-area-router|intra-area-prefix|network|router|nssa> virtual-router <value>
show routing protocol ospfv3 graceful-restart virtual-router <value>
debug device-server dump idmgr type ospfv3-virtual-link id <1-4095>
debug device-server dump idmgr type ospfv3-virtual-link name <value>
debug device-server dump idmgr type ospfv3-virtual-link all
debug lpmgrd dump idmgr type ospfv3-virtual-link id <1-4095>
debug lpmgrd dump idmgr type ospfv3-virtual-link name <value>
debug lpmgrd dump idmgr type ospfv3-virtual-link all
debug routing pcap ospf on virtualrouter <value>
debug routing pcap ospf off
debug routing pcap ospf delete
debug routing pcap ospf view
debug routing pcap ospfv3 on virtualrouter <value>
debug routing pcap ospfv3 off
debug routing pcap ospfv3 delete
debug routing pcap ospfv3 view
admin@pa0-black_knight(active)>

So, if you're looking for detail on how OSPF is working, the system logs, virtual router stats, and CLI commands are your best bet.  

 

Hopefully that helps clear up some of the confusion.  I'd be happy to look at your OSPF traffic logs if this doesn't clear things up.  

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!