1. Home
    2. PAN-OS
    3. PAN-OS Web Interface Help
    4. Network
    5. Network > Network Profiles
    6. Network > Network Profiles > Zone Protection
    7. Ethernet SGT Protection

    Ethernet SGT Protection

    For a Cisco TrustSec network, create a Zone Protection profile to drop packets having specific Security Group Tags (SGTs).
    • Network > Network Profiles > Zone Protection > Ethernet SGT Protection
    For a firewall in a Cisco TrustSec network, create a Zone Protection profile with a list of Layer 2 Security Group Tags (SGTs) that you want to exclude. Apply the Zone Protection profile to a Layer 2, virtual wire, or tap interface. If an incoming packet with an 802.1Q (Ethertype 0x8909) header has an SGT that matches an SGT in your list, the firewall drops the packet.
    Zone Protection Profile Settings
    Configured In
    Description
    Layer 2 SGT Exclude List
    Network
    Network Profiles
    Zone Protection
    Ethernet SGT Protection
    Enter a name for the list of Security Group Tags (SGTs).
    Tag
    Enter the Layer 2 SGTs in headers of packets that you want to exclude (drop) when the SGT matches this list in the Zone Protection profile applied to a zone (range is 0 to 65,535).
    Enable
    Enable
     (default) this exclude list for Ethernet SGT protection. De-select the
    Enable
     option to disable the exclude list.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo