Zone Protection for Non-IP Protocols on a Layer 2 VLAN or Virtual Wire
You can now use a Zone Protection profile to block or allow non-IP protocols between security zones on a Layer 2 VLAN or a virtual wire. You can also block or allow such protocols between interfaces within a single zone on a Layer 2 VLAN. Controlling non-IP protocols for a zone reduces security risks and facilitates regulatory compliance by preventing these less secure protocol packets from entering a zone or interface in a zone where they don’t belong.
Examples of non-IP protocols that you can control are AppleTalk, Banyan VINES, LLDP, NetBEUI, Spanning Tree, and Supervisory Control and Data Acquisition (SCADA) systems such as Generic Object Oriented Substation Event (GOOSE), among many others.
Enhance your zone protection by configuring protocol protection, which lists non-IP protocols for the firewall to either block (exclude) or allow (include). Apply the Zone Protection profile to an ingress security zone for physical interfaces or AE interfaces.
For example, a firewall in a Layer 2 VLAN can be divided into two subinterfaces, each belonging to a VLAN and a zone. You can whitelist the GOOSE protocol for one zone and blacklist it for the other zone, as shown in the following figure:
If you don’t implement a Zone Protection profile with non-IP protocol control, the firewall allows non-IP protocols in a single zone to go from one Layer 2 interface to another. In the following intrazone example, blacklisting LLDP packets ensures that LLDP for one network does not discover a network reachable through another interface in the zone. The Layer 2 VLAN is divided into two subinterfaces and belongs to the User zone. By applying a Zone Protection profile that blocks LLDP to the User zone:
- Subinterface .7 blocks LLDP from its switch to the firewall at the red X on the left, preventing that traffic from reaching subinterface .8.
- Subinterface .8 blocks LLDP from its switch to the firewall at the red X on the right, preventing that traffic from reaching subinterface .7.
Each Include List or Exclude List you configure for protocol protection supports up to 64 Ethertype entries, identified by their IEEE hexadecimal Ethertype code. Locate the Ethertype codes you want to use at sources such as:
The firewall supports multiple Zone Protection profiles, one per zone. Protocol protection doesn’t let you block IPv4 (Ethertype 0x0800), IPv6 (0x86DD), ARP (0x0806), or VLAN-tagged frames (0x8100). These Ethertypes are always implicitly allowed in an Include List without listing them and implicitly allowed even if you configure an Exclude List.
- Configure non-IP Protocol Protection in a Zone Protection profile and apply the profile to an ingress security zone.
- Access the CLI to view
the number of non-IP packets the firewall has dropped based on protocol
> show counter global name pkt_nonip_pkt_drop > show counter global name pkt_nonip_pkt_drop delta yes
Use Case: Non-IP Protocol Protection Within a Security Zone on Layer 2 Interfaces
Use Case: Non-IP Protocol Protection Within a Security Zone on Layer 2 Interfaces If you don’t implement a Zone Protection profile with non-IP protocol protection, ...
Use Case: Non-IP Protocol Protection Between Security Zones on Layer 2 Interfaces
Use Case: Non-IP Protocol Protection Between Security Zones on Layer 2 Interfaces In this use case, the firewall is in a Layer 2 VLAN divided ...
Protocol Protection While packet-based attack protection defends against Layer 3 packet-based attacks, protocol protection defends against non-IP protocol packets. The protocol protection portion of a zone ...
Protocol Protection Network > Network Profiles > Zone Protection > Protocol Protection The firewall normally allows non-IP protocols between Layer 2 zones and between virtual ...
Configure a Layer 2 Interface, Subinterface, and VLAN
Configure a Layer 2 Interface, Subinterface, and VLAN Configure Layer 2 Interfaces with VLANs when you want Layer 2 switching and traffic separation among VLANs. ...
Zone Protection for a Virtual Wire Interface
You can provide virtual wire interfaces with zone protection; a few packet-based attack protections that are based on IP addresses don’t apply to virtual wire ...
Networking Features Tunnel Content Inspection Multiprotocol BGP Zone Protection for Multi-path TCP (MPTCP) Evasions Zone Protection for Non-IP Protocols on a Layer 2 VLAN or ...
Networking Features New Networking Features Description Tunnel Content Inspection The firewall can now inspect the traffic content of cleartext tunnel protocols: Generic Routing Encapsulation (GRE) ...
Configure Protocol Protection
Configure Protocol Protection Protect virtual wire or Layer 2 security zones from non-IP protocol packets by using Protocol Protection . Use Case: Non-IP Protocol Protection ...