Protocol Protection

While packet-based attack protection defends against Layer 3 packet-based attacks, protocol protection defends against non-IP protocol packets. The protocol protection portion of a zone protection profile blocks or allows non-IP protocol packets between security zones on a Layer 2 VLAN or on a virtual wire or between interfaces within a single zone on a Layer 2 VLAN. Configure Protocol Protection to reduce security risks and facilitate regulatory compliance by preventing less secure protocol packets from entering a zone, or an interface in a zone, where they don’t belong.
Examples of non-IP protocols that you can block (exclude) or allow (include) are AppleTalk, Banyan VINES, LLDP, NetBEUI, Spanning Tree, and Supervisory Control and Data Acquisition (SCADA) systems such as Generic Object Oriented Substation Event (GOOSE), among many others.
You can run App-ID reports to determine whether any non-IP protocol packets are arriving at Layer 2 interfaces on the firewall. Apply the zone protection profile to an ingress security zone for physical interfaces or AE interfaces, thereby controlling interzone traffic (where the protocol packets attempt to enter one zone from another) or intrazone traffic (where the protocol packets traverse a single zone—VLAN—between its interfaces).
Each Include List or Exclude List you configure supports up to 64 Ethertype entries, each identified by its IEEE hexadecimal Ethertype code. Other sources of Ethertype codes are standards.ieee.org/develop/regauth/ethertype/eth.txt and http://www.cavebear.com/archive/cavebear/Ethernet/type.html.
Protocol protection doesn’t let you block IPv4 (Ethertype 0x0800), IPv6 (0x86DD), ARP (0x0806), or VLAN-tagged frames (0x8100). These four Ethertypes are always implicitly allowed in an Include List without listing them. They’re also implicitly allowed even if you configure an Exclude List; you can’t exclude them.
When you configure zone protection for non-IP protocols on zones that have Aggregated Ethernet (AE) interfaces, you can’t block or allow a non-IP protocol on only one AE interface because AE interfaces are treated as a group.

Related Documentation