>
    Ethernet SGT Protection
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Network
    4. Network > Network Profiles
    5. Network > Network Profiles > Zone Protection
    6. Ethernet SGT Protection
    Download PDF
    Next-Generation Firewall

    Ethernet SGT Protection

    Table of Contents

    Ethernet SGT Protection

    For a Cisco TrustSec network, create a Zone Protection profile to drop packets having specific Security Group Tags (SGTs).
    • Network > Network Profiles > Zone Protection > Ethernet SGT Protection
    For a firewall in a Cisco TrustSec network, create a Zone Protection profile with a list of Layer 2 Security Group Tags (SGTs) that you want to exclude. Apply the Zone Protection profile to a Layer 2, virtual wire, or tap interface. If an incoming packet with an 802.1Q (Ethertype 0x8909) header has an SGT that matches an SGT in your list, the firewall drops the packet.
    Zone Protection Profile Settings
    Configured In
    Description
    Layer 2 SGT Exclude List
    NetworkNetwork ProfilesZone ProtectionEthernet SGT Protection
    Enter a name for the list of Security Group Tags (SGTs).
    Tag
    Enter the Layer 2 SGTs in headers of packets that you want to exclude (drop) when the SGT matches this list in the Zone Protection profile applied to a zone (range is 0 to 65,535).
    Enable
    Enable (default) this exclude list for Ethernet SGT protection. De-select the Enable option to disable the exclude list.

    © 2025 Palo Alto Networks, Inc. All rights reserved.