Description
This article describes how to enable passive-interface in the CLI.
Solution
OSPF 'network' command is used to advertise all interfaces have a network that falls within the range of network command and hello packets are sent on those interfaces.
Sometimes this is not necessary sending OSPF hello packets on some interfaces.
With topology above, 'FGT-1' and 'FGT-2' are OSPF neighbors over port1.When OSPF is as default configuration with 'FGT-1', it will start to advertise 192.168.0.0/24 network to 'FGT-2' and it will start sending hello packets from both port1 and port2 which is SW-1 is connected to.
# config router ospfIn this case when sniffer is checked for IP Protocol 89, following output will appear.
set router-id 8.8.8.8
# config area
edit 0.0.0.0
next
end
# config network
edit 1
set prefix 10.10.10.0 255.255.255.0
next
edit 2
set prefix 192.168.0.0 255.255.255.0
next
end
# diag sniffer packet port2 'proto 89' 4 none lBut this is not desirable to send hello packets out from 'port2' since there’s no other networking unit (i.e. router , firewall) running OSPF.
interfaces=[port2]
filters=[proto 89]
2020-04-19 10:11:01.771921 port2 -- 10.250.3.51 -> 224.0.0.5: ip-proto-89 44
2020-04-19 10:11:11.393576 port2 -- 10.250.3.51 -> 224.0.0.5: ip-proto-89 44
2020-04-19 10:11:21.805370 port2 -- 10.250.3.51 -> 224.0.0.5: ip-proto-89 44
Also that causes a security risk if an attacker using PC-1 or PC-2 starts to send hello packets to 'FGT-1' to become a neighbor and can advertise some fake routes.
To stop sending hello packets over 'port2', configure 'port2' as passive-interface.
# config router ospfOnce 'passive-interface' is enabled for port2, 'FGT-1' will stop sending hello packets from port2 anymore.
set passive-interface port2
# diag sniffer packet port2 'proto 89' 4 none l
interfaces=[port2]
filters=[proto 89]
