Use Case: Non-IP Protocol Protection Between Security Zones on Layer 2 Interfaces

In this use case, the firewall is in a Layer 2 VLAN divided into two subinterfaces. VLAN 100 is 192.168.100.1/24, subinterface .6. VLAN 200 is 192.168.100.1/24, subinterface .7. Non-IP protocol protection applies to ingress zones. In this use case, if the Internet zone is the ingress zone, the firewall blocks the Generic Object Oriented Substation Event (GOOSE) protocol. If the User zone is the ingress zone, the firewall allows the GOOSE protocol. The firewall implicitly allows IPv4, IPv6, ARP, and VLAN-tagged frames in both zones.

Configure two VLAN subinterfaces.

Select
Network
Interfaces
VLAN
and
Add
an interface.
Interface Name
defaults to vlan. After the period, enter 7.
On the
Config
tab,
Assign Interface To
the
VLAN
200.
Click
OK
.
Select
Network
Interfaces
VLAN
and
Add
an interface.
Interface Name
defaults to vlan. After the period, enter 6.
On the
Config
tab,
Assign Interface To
the
VLAN
100.
Click
OK
.

Configure protocol protection in a Zone Protection profile to block GOOSE protocol packets.

Select
Network
Network Profiles
Zone Protection
and
Add
a profile.
Enter the
Name
Block GOOSE.
Select
Protocol Protection
.
Choose
Rule Type
of
Exclude List
.
Enter the
Protocol Name
, GOOSE, to easily identify the Ethertype on the list. The firewall doesn’t verify that the name you enter matches the Ethertype code; it uses only the Ethertype code to filter.
Enter
Ethertype
code 0x88B8. The Ethertype must be preceded by 0x to indicate a hexadecimal value. Range is 0x0000 to 0xFFFF.
Select
Enable
to enforce the protocol protection. You can disable a protocol on the list, for example, for testing.
Click
OK
.

Apply the Zone Protection profile to the Internet zone.

Select
Network
Zones
and
Add
a zone.
Enter the
Name
of the zone, Internet.
For
Location
, select the virtual system where the zone applies.
For
Type
, select
Layer2
.
Add
the
Interface
that belongs to the zone, vlan.7.
For
Zone Protection Profile
, select the profile Block GOOSE.
Click
OK
.

Configure protocol protection to allow GOOSE protocol packets.

Create another Zone protection profile named Allow GOOSE, and choose

Rule Type

of

Include List

.

When configuring an Include list, include all required non-IP protocols; an incomplete list can result in legitimate non-IP traffic being blocked.

Apply the Zone Protection profile to the User zone.

Select
Network
Zones
and
Add
a zone.
Enter the
Name
of the zone, User.
For
Location
, select the virtual system where the zone applies.
For
Type
, select
Layer2
.
Add
the
Interface
that belongs to the zone, vlan.6.
For
Zone Protection Profile
, select the profile Allow GOOSE.
Click
OK
.

Commit.

Click

Commit

.

View the number of non-IP packets the firewall has dropped based on protocol protection.

Access the CLI.

> 
show counter global name pkt_nonip_pkt_drop 
> 
show counter global name pkt_nonip_pkt_drop delta yes