Focus

Next-Generation Firewall

Configure Ethernet SGT Protection

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
AIOps
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1

Configure Protocol Protection

Create a Zone

Configure Ethernet SGT Protection

Configure 802.1Q header inspection when your firewall is part of a Cisco TrustSec network.

Contact your account team to enable Cloud Management for NGFWs using Strata Cloud Manager.

Where Can I Use This?	What Do I Need?
`NGFW (Managed by Strata Cloud Manager)` `VM-Series, funded with Software NGFW Credits`	`AIOps for NGFW Premium license (use the Strata Cloud Manager app)`

In a Cisco TrustSec network, a Cisco Identity Services Engine (ISE) assigns a Layer 2 Security Group Tag (SGT) of 16 bits to a user or endpoint session. When your firewall is part of a Cisco TrustSec network, the firewall needs to support the TrustSec 802.1Q header to do content inspection. A Zone Protection profile with Ethernet SGT protection configured allows the firewall to inspect headers with 802.1Q (EtherType 0x8909) for specific Layer 2 Security Group Tag (SGT) values and drop the packet if the SGT matches the list you configure for the Zone Protection profile attached to the interface. With a Zone Protection profile configured for Ethernet SGT protection, you can specify which SGT values you want to deny access to a zone.

Strata Cloud Manager

Select

Manage

Configuration

NGFW and Prisma Access

Security Services

DoS Protection

and select the Configuration Scope where you want to create the Zone Protection profile.

You can select a folder or firewall from your

Folders

or select

Snippets

to configure the Zone Protection profile in a snippet.

Navigate to the

Zone Protection Profiles

and

Add Profile

Enter a descriptive

Name

(Optional) Enter a

Description

Select

Ethernet SGT

Add

a Layer 2 SGT Exclude List by name.

Enter one or more

Tag

values for the list.

Range is

65,535

. You can enter individual entries that are a contiguous range of tag values (for example,

100

500

). You can add up to 100 (individual or range) tag entries in an Exclude List.

Enable

the Layer 2 SGT Exclude List.

Layer 2 SGT Exclude Lists are enabled by default when added.

You can modify an existing Zone Protection profile to disable a specific Layer 2 SGT Exclude List from enforcement.

Save

Configure Protocol Protection

Create a Zone

Next-Generation Firewall Docs

Configure Ethernet SGT Protection

Next-Generation Firewall Docs

Configure Ethernet SGT Protection

Recommended For You

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner