Use Case: Non-IP Protocol Protection Between Security Zones
on Layer 2 Interfaces
In this use case, the firewall is in a Layer
2 VLAN divided into two subinterfaces. VLAN 100 is 192.168.100.1/24,
subinterface .6. VLAN 200 is 192.168.100.1/24, subinterface .7.
Non-IP protocol protection applies to ingress zones. In this use
case, if the Internet zone is the ingress zone, the firewall blocks
the Generic Object Oriented Substation Event (GOOSE) protocol. If
the User zone is the ingress zone, the firewall allows the GOOSE
protocol. The firewall implicitly allows IPv4, IPv6, ARP, and VLAN-tagged
frames in both zones.

- Configure two VLAN subinterfaces.
- SelectandNetworkInterfacesVLANAddan interface.
- Interface Namedefaults to vlan. After the period, enter 7.
- On theConfigtab,Assign Interface TotheVLAN200.
- ClickOK.
- SelectandNetworkInterfacesVLANAddan interface.
- Interface Namedefaults to vlan. After the period, enter 6.
- On theConfigtab,Assign Interface TotheVLAN100.
- ClickOK.
- Configure protocol protection in a Zone Protection profile to block GOOSE protocol packets.
- SelectandNetworkNetwork ProfilesZone ProtectionAdda profile.
- Enter theNameBlock GOOSE.
- SelectProtocol Protection.
- ChooseRule TypeofExclude List.
- Enter theProtocol Name, GOOSE, to easily identify the Ethertype on the list. The firewall doesn’t verify that the name you enter matches the Ethertype code; it uses only the Ethertype code to filter.
- EnterEthertypecode 0x88B8. The Ethertype must be preceded by 0x to indicate a hexadecimal value. Range is 0x0000 to 0xFFFF.
- SelectEnableto enforce the protocol protection. You can disable a protocol on the list, for example, for testing.
- ClickOK.
- Apply the Zone Protection profile to the Internet zone.
- SelectandNetworkZonesAdda zone.
- Enter theNameof the zone, Internet.
- ForLocation, select the virtual system where the zone applies.
- ForType, selectLayer2.
- AddtheInterfacethat belongs to the zone, vlan.7.
- ForZone Protection Profile, select the profile Block GOOSE.
- ClickOK.
- Configure protocol protection to allow GOOSE protocol packets.Create another Zone protection profile named Allow GOOSE, and chooseRule TypeofInclude List.When configuring an Include list, include all required non-IP protocols; an incomplete list can result in legitimate non-IP traffic being blocked.
- Apply the Zone Protection profile to the User zone.
- SelectandNetworkZonesAdda zone.
- Enter theNameof the zone, User.
- ForLocation, select the virtual system where the zone applies.
- ForType, selectLayer2.
- AddtheInterfacethat belongs to the zone, vlan.6.
- ForZone Protection Profile, select the profile Allow GOOSE.
- ClickOK.
- Commit.ClickCommit.
- View the number of non-IP packets the firewall has dropped based on protocol protection.>show counter global name pkt_nonip_pkt_drop>show counter global name pkt_nonip_pkt_drop delta yes
Recommended For You
Recommended Videos
Recommended videos not found.