07-22-2016 12:49 AM - edited 07-22-2016 12:50 AM
Hi,
We're migrating from a Cisco ASA to a Palo Alto firewall device. I had a query about the OSPF Link State Database Overload Protection for the Palo Alto Firewall
The Cisco ASA firewall provides OSPF Link State Database Overload Protection using the max-lsa command
Here is the Cisco reference: http://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/ospfopro.html
“To limit the number of nonself-generated link-state advertisements (LSAs) that an Open Shortest Path First (OSPF) routing process can keep in the OSPF link-state database (LSDB), use the max-lsa command in router configuration mode. To remove the limit of non self-generated LSAs that an OSPF routing process can keep in the OSPF LSDB, use the no form of this command.”
I could not find the equivalent protection in a Palo Alto firewall
Please could you let me know
Here is my existing Palo Alto Configuration
=====================
<ospf>
<enable>yes</enable>
<area>
<entry name="0.0.0.0">
<interface>
<entry name="ethernet1/11">
<enable>yes</enable>
<passive>no</passive>
<gr-delay>10</gr-delay>
<metric>1000</metric>
<priority>1</priority>
<hello-interval>10</hello-interval>
<dead-counts>4</dead-counts>
<retransmit-interval>5</retransmit-interval>
<transit-delay>1</transit-delay>
<link-type>
<broadcast/>
</link-type>
</entry>
<entry name="ethernet1/12">
<enable>yes</enable>
<passive>no</passive>
<gr-delay>10</gr-delay>
<metric>1000</metric>
<priority>1</priority>
<hello-interval>10</hello-interval>
<dead-counts>4</dead-counts>
<retransmit-interval>5</retransmit-interval>
<transit-delay>1</transit-delay>
<link-type>
<broadcast/>
</link-type>
</entry>
<entry name="loopback">
<enable>yes</enable>
<passive>yes</passive>
<gr-delay>10</gr-delay>
<metric>1000</metric>
<priority>1</priority>
<hello-interval>10</hello-interval>
<dead-counts>4</dead-counts>
<retransmit-interval>5</retransmit-interval>
<transit-delay>1</transit-delay>
<link-type>
<broadcast/>
</link-type>
</entry>
<entry name="ae2">
<enable>yes</enable>
<passive>yes</passive>
<gr-delay>10</gr-delay>
<metric>10</metric>
<priority>1</priority>
<hello-interval>10</hello-interval>
<dead-counts>4</dead-counts>
<retransmit-interval>5</retransmit-interval>
<transit-delay>1</transit-delay>
<link-type>
<broadcast/>
</link-type>
</entry>
</interface>
<type>
<normal/>
</type>
</entry>
</area>
<router-id>10.1.1.1</router-id>
</ospf>
<ospfv3>
<enable>no</enable>
</ospfv3>
=====================
07-23-2016 05:57 AM
Unfortunately, this parameter is not availabe in the current PanOS releases.
You can discuss with your sales engineer either adding a feature request for a future release or if one alreadly exists adding your company vote for the feature.
07-24-2016 10:05 AM
If the primary concern is security, you can use md5 authentication for the neighbor relationships.
07-23-2016 05:57 AM
Unfortunately, this parameter is not availabe in the current PanOS releases.
You can discuss with your sales engineer either adding a feature request for a future release or if one alreadly exists adding your company vote for the feature.
07-23-2016 01:14 PM
Thanks @pulukas for the reply. Are there any other features we could implement to secure the OSPF Link State Database in Palo Alto Firewalls?
07-24-2016 10:05 AM
If the primary concern is security, you can use md5 authentication for the neighbor relationships.
07-24-2016 03:43 PM
Thanks a lot for the support
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
