In a Zone Protection profile, Protocol Protection defends
against non-IP protocol based attacks. Enable Protocol Protection
to block or allow non-IP protocols between security zones on a Layer 2
VLAN or on a virtual wire, or between interfaces within a single
zone on a Layer 2 VLAN (Layer 3 interfaces and zones drop non-IP
protocols so non-IP Protocol Protection doesn’t apply).
Configure Protocol Protection to
reduce security risks and facilitate regulatory compliance by preventing
less secure protocols from entering a zone, or an interface in a zone.
If you need to discover which non-IP protocols are running on
your network, use monitoring tools such as NetFlow, Wireshark, or
other third-party tools discover non-IP protocols on your network.
Examples of non-IP protocols you can block or allow are LLDP, NetBEUI,
Spanning Tree, and Supervisory Control and Data Acquisition (SCADA)
systems such as Generic Object Oriented Substation Event (GOOSE), among
many others.
Create an
Exclude List
or an
Include List
to
configure Protocol Protection for a zone. The
Exclude List
is
a block list—the firewall blocks all of the protocols you place
in the
Exclude List
and allows all other
protocols. The
Include List
is an allow list—the
firewall allows only the protocols you specify in the list and blocks
all other protocols.