>
    Configure Ethernet SGT Protection
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Zone Protection and DoS Protection
    4. Zone Defense
    5. Zone Protection Profiles
    6. Configure Ethernet SGT Protection
    Download PDF
    Next-Generation Firewall

    Configure Ethernet SGT Protection

    Table of Contents

    Configure Ethernet SGT Protection

    In a Cisco TrustSec network, employ Zone Protection based on dropping packets that contain specific security group tags (SGTs) in the 802.1Q header.
    Where Can I Use This?What Do I Need?
    • NGFW
    One of these licenses when using Strata Cloud Manager
    • Strata Cloud Manager Essentials
    • Strata Cloud Manager Pro
    Use the following task to configure an Ethernet SGT Protection profile.

    Configure Ethernet SGT Protection (PAN-OS)

    Procedure for configuring an Ethernet SGT protection profile in PAN-OS and Panorama.
    1. Create a Zone Protection profile to provide Ethernet SGT Protection.
      1. Select NetworkNetwork ProfilesZone Protection.
      2. Add a Zone Protection profile by Name.
      3. Select Ethernet SGT Protection.
      4. Add a Layer 2 SGT Exclude List by name.
      5. Enter one or more Tag values for the list; range is 0 to 65,535. You can enter individual entries that are a contiguous range of tag values (for example, 100-500). You can add up to 100 (individual or range) tag entries in an Exclude List.
      6. Enable the Layer 2 SGT Exclude List. You can disable the list at any time.
      7. Click OK.
    2. Apply the Zone Protection profile to the security zone to which the Layer 2, virtual wire, or tap interfaces belong.
      1. Select NetworkZones.
      2. Add a zone.
      3. Enter the Name of the zone.
      4. For Location, select the virtual system where the zone applies.
      5. For Type, select Layer2, Virtual Wire, or Tap.
      6. Add an Interface that belongs to the zone.
      7. For Zone Protection Profile, select the profile you created.
      8. Click OK.
    3. Commit.
    4. View the global counter of packets that the firewall dropped as a result of all Zone Protection profiles that employ Ethernet SGT Protection.
      1. Access the CLI.
      2. > show counter global name pan_flow_dos_l2_sec_tag_drop

    Configure Ethernet SGT Protection (SCM)

    Procedure for configuring an Ethernet SGT protection profile in Strata Cloud Manager.
    1. Log in to Strata Cloud Manager.
    2. Select ManageConfigurationNGFW and Prisma AccessSecurity ServicesDoS ProtectionConfigurationNGFW and Prisma AccessSecurity ServicesDoS Protection and select the Configuration Scope where you want to create the Zone Protection profile.
      You can select a folder or firewall from your Folders or select Snippets to configure the Zone Protection profile in a snippet.
    3. Navigate to the Zone Protection Profiles and Add Profile.
    4. Enter a descriptive Name.
    5. (Optional) Enter a Description.
    6. Select Ethernet SGT.
    7. Add a Layer 2 SGT Exclude List by name.
    8. Enter one or more Tag values for the list.
      Range is 0 to 65,535. You can enter individual entries that are a contiguous range of tag values (for example, 100-500). You can add up to 100 (individual or range) tag entries in an Exclude List.
    9. Enable the Layer 2 SGT Exclude List.
      Layer 2 SGT Exclude Lists are enabled by default when added.
      You can modify an existing Zone Protection profile to disable a specific Layer 2 SGT Exclude List from enforcement.
    10. Save.

    © 2025 Palo Alto Networks, Inc. All rights reserved.