OSPF Link State Database Overload Protection for Palo Alto Firewall

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

OSPF Link State Database Overload Protection for Palo Alto Firewall

L1 Bithead

Hi,

 

We're migrating from a Cisco ASA to a Palo Alto firewall device. I had a query about the OSPF Link State Database Overload Protection for the Palo Alto Firewall

 

The Cisco ASA firewall provides OSPF Link State Database Overload Protection using the max-lsa command

Here is the Cisco reference: http://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/ospfopro.html

 

“To limit the number of nonself-generated link-state advertisements (LSAs) that an Open Shortest Path First (OSPF) routing process can keep in the OSPF link-state database (LSDB), use the max-lsa command in router configuration mode. To remove the limit of non self-generated LSAs that an OSPF routing process can keep in the OSPF LSDB, use the no form of this command.”

 

I could not find the equivalent protection in a Palo Alto firewall

Please could you let me know

  1. How I can configure OSPF Link State database overload protection from the web interface?
  2. What is the equivalent command/CLI entry for this?

 

Here is my existing Palo Alto Configuration

=====================

<ospf>
<enable>yes</enable>
<area>
<entry name="0.0.0.0">
<interface>
<entry name="ethernet1/11">
<enable>yes</enable>
<passive>no</passive>
<gr-delay>10</gr-delay>
<metric>1000</metric>
<priority>1</priority>
<hello-interval>10</hello-interval>
<dead-counts>4</dead-counts>
<retransmit-interval>5</retransmit-interval>
<transit-delay>1</transit-delay>
<link-type>
<broadcast/>
</link-type>
</entry>
<entry name="ethernet1/12">
<enable>yes</enable>
<passive>no</passive>
<gr-delay>10</gr-delay>
<metric>1000</metric>
<priority>1</priority>
<hello-interval>10</hello-interval>
<dead-counts>4</dead-counts>
<retransmit-interval>5</retransmit-interval>
<transit-delay>1</transit-delay>
<link-type>
<broadcast/>
</link-type>
</entry>
<entry name="loopback">
<enable>yes</enable>
<passive>yes</passive>
<gr-delay>10</gr-delay>
<metric>1000</metric>
<priority>1</priority>
<hello-interval>10</hello-interval>
<dead-counts>4</dead-counts>
<retransmit-interval>5</retransmit-interval>
<transit-delay>1</transit-delay>
<link-type>
<broadcast/>
</link-type>
</entry>
<entry name="ae2">
<enable>yes</enable>
<passive>yes</passive>
<gr-delay>10</gr-delay>
<metric>10</metric>
<priority>1</priority>
<hello-interval>10</hello-interval>
<dead-counts>4</dead-counts>
<retransmit-interval>5</retransmit-interval>
<transit-delay>1</transit-delay>
<link-type>
<broadcast/>
</link-type>
</entry>
</interface>
<type>
<normal/>
</type>
</entry>
</area>
<router-id>10.1.1.1</router-id>
</ospf>
<ospfv3>
<enable>no</enable>
</ospfv3>

=====================

2 accepted solutions

Accepted Solutions

L7 Applicator

Unfortunately, this parameter is not availabe in the current PanOS releases.  

 

You can discuss with your sales engineer either adding a feature request for a future release or if one alreadly exists adding your company vote for the feature.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

View solution in original post

If the primary concern is security, you can use md5 authentication for the neighbor relationships.

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-OSPF-Authentication/ta-...

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

View solution in original post

4 REPLIES 4

L7 Applicator

Unfortunately, this parameter is not availabe in the current PanOS releases.  

 

You can discuss with your sales engineer either adding a feature request for a future release or if one alreadly exists adding your company vote for the feature.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Thanks @pulukas for the reply. Are there any other features we could implement to secure the OSPF Link State Database in Palo Alto Firewalls?

If the primary concern is security, you can use md5 authentication for the neighbor relationships.

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-OSPF-Authentication/ta-...

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Thanks a lot for the support

  • 2 accepted solutions
  • 2741 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!