Configure Protocol Protection
Focus
Focus
Next-Generation Firewall

Configure Protocol Protection

Table of Contents

Configure Protocol Protection

Defend your zones against protocol-based attacks.
Contact your account team to enable Cloud Management for NGFWs using Strata Cloud Manager.
Where Can I Use This?What Do I Need?
One of these:
A Zone Protection profile configured for protocol protection defends your zones against non-IP protocol-based attacks. Configure protocol protection to block or allow non-IP protocols between your zones and interfaces. This allows you to reduce security risks and facilitate regulatory compliance by preventing less secure protocols from entering a zone or an interface in a zone. When you configure zone protection for non-IP protocols on zones that have Aggregate Ethernet (AE) interfaces, you must block or allow a non-IP protocol for all AE interface members. Enforcing non-IP protocols for only one AE interface member isn’t supported.
By default, the predefined intrazone-default Security policy rule allows non-IP traffic between interfaces in the same zone.
To configure protocol protection, you create an Exclude List or Include List to which you add the non-IP protocols you want to deny or allow. A Zone Protection profile configured for protocol protection supports an exclude list, an include list, or both in a single profile.
Protocol protection doesn’t support blocking IPv4 (EtherType 0x0800), ARP (0x0806), or VLAN-tagged frames (0x8100). The firewall always implicitly allows these four Ethertypes in an Include List even if you don’t explicitly add them and doesn’t permit you to add them to an Exclude List.
  1. Log in to Strata Cloud Manager.
  2. Select ManageConfigurationNGFW and Prisma AccessSecurity ServicesDoS Protection and select the Configuration Scope where you want to create the Zone Protection profile.
    You can select a folder or firewall from your Folders or select Snippets to configure the Zone Protection profile in a snippet.
  3. Navigate to the Zone Protection Profiles and Add Profile.
  4. Enter a descriptive Name.
  5. (Optional) Enter a Description.
  6. Select Protocol.
  7. Configure the protocol protection Rule Type.
    Select Exclude List to specify which protocols you want to deny from entering the zone. Select Include List to specify which protocols you want to allow to enter the zone.
    Use an include list instead of an exclude list to control non-IP protocol traffic entering your zones. Include lists specifically sanction only the protocols you want to allow and block protocols not defined in the include list. This reduces your attack surface and blocks unknown traffic.
  8. Specify the non-IP protocols that you want to enforce.
    1. Add the protocols you want to include in the Exclude List or Include List.
    2. Enter the Protocol Name.
    3. Enable.
      Protocols added to an Include List or Exclude List or enabled by default.
      You can modify an existing Zone Protection profile to disable a specific protocol from enforcement.
    4. Enter the Ethertype.
      A list supports up to 64 EtherType entries identified by the IEEE hexadecimcal Ethertype code. Other sources of EtherType codes are https://standards-oui.ieee.org/ethertype/eth.txt and https://www.cavebear.com/archive/cavebear/Ethernet/type.html.
  9. Save.