Protocol Protection

  • Network > Network Profiles > Zone Protection > Protocol Protection
The firewall normally allows non-IP protocols between Layer 2 zones and between virtual wire zones. Protocol protection allows you to control which non-IP protocols are allowed (include) or denied (exclude) between or within security zones on a Layer 2 VLAN or virtual wire. Examples of non-IP protocols include AppleTalk, Banyan VINES, Novell, NetBEUI, and Supervisory Control and Data Acquisition (SCADA) systems such as Generic Object Oriented Substation Event (GOOSE).
After you configure protocol protection in a Zone Protection profile, apply the profile to an ingress security zone on a Layer 2 VLAN or virtual wire.
Zone Protection Profile Settings—Protocol Protection
Configured In
Description
Rule Type
Network
Network Profiles
Zone Protection
Protocol Protection
Specify the type of list you are creating for protocol protection:
  • Include List
    —Only the protocols on the list are allowed—in addition to IPv4 (0x0800), IPv6 (0x86DD), ARP (0x0806), and VLAN tagged frames (0x8100). All other protocols are implicitly denied (blocked).
  • Exclude List
    —Only the protocols on the list are denied; all other protocols are implicitly allowed. You cannot exclude IPv4 (0x0800), IPv6 (0x86DD), ARP (0x0806), or VLAN tagged frames (0x8100).
Protocol Name
Enter the protocol name that corresponds to the Ethertype code you are adding to the list. The firewall does not verify that the protocol name matches the Ethertype code but the Ethertype code does determine the protocol filter.
Enable
Enable
the Ethertype code on the list. If you want to disable a protocol for testing purposes but not delete it, disable it, instead.
Ethertype (hex)
Enter an Ethertype code (protocol) preceded by 0x to indicate hexadecimal (range is 0x0000 to 0xFFFF). A list can have a maximum of 64 Ethertypes.
Some sources of Ethertype codes are:

Related Documentation