Use Case: Non-IP Protocol Protection Between Security Zones on Layer 2 Interfaces

In this use case, the firewall is in a Layer 2 VLAN divided into two subinterfaces. VLAN 100 is 192.168.100.1/24, subinterface .6. VLAN 200 is 192.168.100.1/24, subinterface .7. Non-IP protocol protection applies to ingress zones. In this use case, if the Internet zone is the ingress zone, the firewall blocks the Generic Object Oriented Substation Event (GOOSE) protocol. If the User zone is the ingress zone, the firewall allows the GOOSE protocol. The firewall implicitly allows IPv4, IPv6, ARP, and VLAN-tagged frames in both zones.

1. Configure two VLAN subinterfaces.
   1. Select NetworkInterfacesVLAN and Add an interface.
   2. Interface Name defaults to vlan. After the period, enter 7.
   3. On the Config tab, Assign Interface To the VLAN 200.
   4. Click OK.
   5. Select NetworkInterfacesVLAN and Add an interface.
   6. Interface Name defaults to vlan. After the period, enter 6.
   7. On the Config tab, Assign Interface To the VLAN 100.
   8. Click OK.
2. Configure protocol protection in a Zone Protection profile to block GOOSE protocol packets.
   1. Select NetworkNetwork ProfilesZone Protection and Add a profile.
   2. Enter the Name Block GOOSE.
   3. Select Protocol Protection.
   4. Choose Rule Type of Exclude List.
   5. Enter the Protocol Name, GOOSE, to easily identify the Ethertype on the list. The firewall doesn’t verify that the name you enter matches the Ethertype code; it uses only the Ethertype code to filter.
   6. Enter Ethertype code 0x88B8. The Ethertype must be preceded by 0x to indicate a hexadecimal value. Range is 0x0000 to 0xFFFF.
   7. Select Enable to enforce the protocol protection. You can disable a protocol on the list, for example, for testing.
   8. Click OK.
3. Apply the Zone Protection profile to the Internet zone.
   1. Select NetworkZones and Add a zone.
   2. Enter the Name of the zone, Internet.
   3. For Location, select the virtual system where the zone applies.
   4. For Type, select Layer2.
   5. Add the Interface that belongs to the zone, vlan.7.
   6. For Zone Protection Profile, select the profile Block GOOSE.
   7. Click OK.
4. Configure protocol protection to allow GOOSE protocol packets.
   Create another Zone protection profile named Allow GOOSE, and choose Rule Type of Include List.

   When configuring an Include list, include all required non-IP protocols; an incomplete list can result in legitimate non-IP traffic being blocked.
5. Apply the Zone Protection profile to the User zone.
   1. Select NetworkZones and Add a zone.
   2. Enter the Name of the zone, User.
   3. For Location, select the virtual system where the zone applies.
   4. For Type, select Layer2.
   5. Add the Interface that belongs to the zone, vlan.6.
   6. For Zone Protection Profile, select the profile Allow GOOSE.
   7. Click OK.
6. Commit.
   Click Commit.
7. View the number of non-IP packets the firewall has dropped based on protocol protection.
   Access the CLI.

   > show counter global name pkt_nonip_pkt_drop 
   > show counter global name pkt_nonip_pkt_drop delta yes