Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
oarslan
Staff
Staff

Created on ‎04-19-2020 05:39 AM Edited on ‎11-14-2025 10:24 AM By Moderator

Article Id 198769

Technical Tip: Enabling passive-interface when using OSPF

Description

 

This article describes how to enable passive-interface in the CLI.

 

Scope

 

FortiGate.

Solution


The OSPF 'network' command adds all interfaces with a subnet within the range of the network command to OSPF, and OSPF hello packets are sent on those interfaces.

Sometimes, it is necessary to advertise a subnet using OSPF but not send OSPF hello packets on this interface.

Modified_ospf_diagram.png

In the topology above, 'FGT-1' and 'FGT-2' are OSPF neighbors over port1. With default configuration, if the 192.168.0.0/24 network is added to FGT-1's OSP configuration, the firewall will start to advertise 192.168.0.0/24 network to 'FGT-2' and but will also send OSPF hello packets over port2.

config router ospf
    set router-id 8.8.8.8
        config area
            edit 0.0.0.0
            next
        end
        config network
            edit 1
                set prefix 10.10.10.0 255.255.255.0
            next
            edit 2
                set prefix 192.168.0.0 255.255.255.0
            next
        end
    end
 
In this case, when a sniffer is checked for IP Protocol 89, the following output will appear.

diagnose sniffer packet port2 'proto 89' 4 none l
interfaces=[port2]
filters=[proto 89]
2020-04-19 10:11:01.771921 port2 -- 192.168.0.1 -> 224.0.0.5:  ip-proto-89 44
2020-04-19 10:11:11.393576 port2 -- 192.168.0.1 -> 224.0.0.5:  ip-proto-89 44
2020-04-19 10:11:21.805370 port2 -- 192.168.0.1 -> 224.0.0.5:  ip-proto-89 44
 
In this environment, it is not desirable to send OSPF hello packets from port2 since there is no other networking unit (i.e. router, firewall) running OSPF on this segment. If OSPF remains active on this interface, an attacker using PC-1 or PC-2 could form an unwanted OSPF neighborship to FGT-1 and advertise some fake routes.

To stop sending hello packets over 'port2', configure 'port2' as a passive-interface.

config router ospf
    set passive-interface port2
end
 
Once 'passive-interface' is enabled for port2, 'FGT-1' will stop sending hello packets over port2 and will not listen for incoming OSPF Hello messages on this interface.

diagnose sniffer packet port2 'proto 89' 4 none l
interfaces=[port2]
filters=[proto 89]
Labels:
12190
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.