Protect your network against Layer 2 protocols that don’t
belong on your network.
In a Zone Protection profile, Protocol Protection defends
against non-IP protocol based attacks. Enable Protocol Protection
to block or allow non-IP protocols between security zones on a Layer 2
VLAN or on a virtual wire, or between interfaces within a single
zone on a Layer 2 VLAN (Layer 3 interfaces and zones drop
non-IP protocols so non-IP Protocol Protection doesn’t apply). Configure Protocol Protection to
reduce security risks and facilitate regulatory compliance by preventing
less secure protocols from entering a zone, or an interface in a
If you don’t configure a Zone Protection profile that prevents
non-IP protocols in the same zone from going from one Layer 2 interface
to another, the firewall allows the traffic because of the default
intrazone allow Security policy rule. You can create a Zone Protection
profile that blocks protocols such as LLDP within
a zone to prevent discovery of networks reachable through other
If you need to discover which non-IP protocols are running on
your network, use monitoring tools such as NetFlow, Wireshark, or
other third-party tools discover non-IP protocols on your network.
Examples of non-IP protocols you can block or allow are LLDP, NetBEUI,
Spanning Tree, and Supervisory Control and Data Acquisition (SCADA)
systems such as Generic Object Oriented Substation Event (GOOSE),
among many others.
to configure Protocol Protection for a zone. The
is a block list—the firewall blocks all of the
protocols you place in the
allows all other protocols. The
an allow list—the firewall allows only the protocols you specify
in the list and blocks all other protocols.
Use include lists for Protocol Protection
instead of exclude lists. Include lists specifically sanction only
the protocols you want to allow and block the protocols you don’t
need or didn’t know were on your network, which reduces the attack
surface and blocks unknown traffic.