Use Case: Non-IP Protocol Protection Between Security Zones on Layer 2 Interfaces

In this use case, the firewall is in a Layer 2 VLAN divided into two subinterfaces. VLAN 100 is 192.168.100.1/24, subinterface .6. VLAN 200 is 192.168.100.1/24, subinterface .7. Non-IP protocol protection applies to ingress zones. In this use case, if the Internet zone is the ingress zone, the firewall blocks the Generic Object Oriented Substation Event (GOOSE) protocol. If the User zone is the ingress zone, the firewall allows the GOOSE protocol. The firewall implicitly allows IPv4, IPv6, ARP, and VLAN-tagged frames in both zones.
non_ip_protocol_l2_interzone.png
  1. Configure two VLAN subinterfaces.
    1. Select
      Network
      Interfaces
      VLAN
      and
      Add
      an interface.
    2. Interface Name
      defaults to vlan. After the period, enter 7.
    3. On the
      Config
      tab,
      Assign Interface To
      the
      VLAN
      200.
    4. Click
      OK
      .
    5. Select
      Network
      Interfaces
      VLAN
      and
      Add
      an interface.
    6. Interface Name
      defaults to vlan. After the period, enter 6.
    7. On the
      Config
      tab,
      Assign Interface To
      the
      VLAN
      100.
    8. Click
      OK
      .
  2. Configure protocol protection in a Zone Protection profile to block GOOSE protocol packets.
    1. Select
      Network
      Network Profiles
      Zone Protection
      and
      Add
      a profile.
    2. Enter the
      Name
      Block GOOSE.
    3. Select
      Protocol Protection
      .
    4. Choose
      Rule Type
      of
      Exclude List
      .
    5. Enter the
      Protocol Name
      , GOOSE, to easily identify the Ethertype on the list. The firewall doesn’t verify that the name you enter matches the Ethertype code; it uses only the Ethertype code to filter.
    6. Enter
      Ethertype
      code 0x88B8. The Ethertype must be preceded by 0x to indicate a hexadecimal value. Range is 0x0000 to 0xFFFF.
    7. Select
      Enable
      to enforce the protocol protection. You can disable a protocol on the list, for example, for testing.
    8. Click
      OK
      .
  3. Apply the Zone Protection profile to the Internet zone.
    1. Select
      Network
      Zones
      and
      Add
      a zone.
    2. Enter the
      Name
      of the zone, Internet.
    3. For
      Location
      , select the virtual system where the zone applies.
    4. For
      Type
      , select
      Layer2
      .
    5. Add
      the
      Interface
      that belongs to the zone, vlan.7.
    6. For
      Zone Protection Profile
      , select the profile Block GOOSE.
    7. Click
      OK
      .
  4. Configure protocol protection to allow GOOSE protocol packets.
    Create another Zone protection profile named Allow GOOSE, and choose
    Rule Type
    of
    Include List
    .
    When configuring an Include list, include all required non-IP protocols; an incomplete list can result in legitimate non-IP traffic being blocked.
  5. Apply the Zone Protection profile to the User zone.
    1. Select
      Network
      Zones
      and
      Add
      a zone.
    2. Enter the
      Name
      of the zone, User.
    3. For
      Location
      , select the virtual system where the zone applies.
    4. For
      Type
      , select
      Layer2
      .
    5. Add
      the
      Interface
      that belongs to the zone, vlan.6.
    6. For
      Zone Protection Profile
      , select the profile Allow GOOSE.
    7. Click
      OK
      .
  6. Commit.
    Click
    Commit
    .
  7. View the number of non-IP packets the firewall has dropped based on protocol protection.
    >
    show counter global name pkt_nonip_pkt_drop
    >
    show counter global name pkt_nonip_pkt_drop delta yes

Related Documentation