03-01-2017 01:52 PM
Wondering if there's a way to configure a threshold for OSPF LSA updates/messages?
Or if such a threshold is already in place by default on Palo Alto firewalls.
Something that can maybe drop anything more than say 7 LSA messages in 5 minutes.
Apparently, there's a security threat related to a device getting DOS'd by an overwhelming flow of LSA messages and our security consultant wants us to configure a threshold to drop more than x number of LSA messages in a given period.
I see there's an LSA interval like this:
• | LSA Interval (sec)—The option specifies the minimum time between transmissions of two instances of the same LSA (same router, same type, same LSA ID). This is equivalent to MinLSInterval in RFC 2328. Lower values can be used to reduce re-convergence times when topology changes occur. |
Yet that doesn't seem to address the issue of an overwhelming number of updates being sent maliciously.
For comparison on the Cisco-side there's a concept of:
"OSPF Link-State Database Overload Protection"
which is configured with this command in the OSPF router process:
max-lsa maximum-number [threshold-percentage] [warning-only] [ignore-time minutes] [ignore-count count-number] [reset-time minutes]
03-19-2017 09:22 AM
No, these parameters are not available in PanOS. You could contact your sales engineer to see if there is an existing FR (Feature Request) on file for this and have them add a vote or create one. If it is new tell them it is covered under RFC 5286 for implementation.
But remember that Palo Alto is a security company here that also does routing. So the pace of feature implementation on the routing side can be on the slow side.
03-19-2017 09:22 AM
No, these parameters are not available in PanOS. You could contact your sales engineer to see if there is an existing FR (Feature Request) on file for this and have them add a vote or create one. If it is new tell them it is covered under RFC 5286 for implementation.
But remember that Palo Alto is a security company here that also does routing. So the pace of feature implementation on the routing side can be on the slow side.
05-26-2017 12:50 PM
Got the same reply in the notes of a case opened with PAN support. They must have been looking over your shoulder. Sent email to our SE and will follow up with same.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
