Protect your network against Layer 2 protocols that don’t
belong on your network.
In a Zone Protection profile, Protocol Protection defends
against non-IP protocol based attacks. Enable Protocol Protection
to block or allow non-IP protocols between security zones on a Layer 2
VLAN or on a virtual wire, or between interfaces within a single
zone on a Layer 2 VLAN (Layer 3 interfaces and zones drop non-IP
protocols so non-IP Protocol Protection doesn’t apply). Configure Protocol Protection to
reduce security risks and facilitate regulatory compliance by preventing
less secure protocols from entering a zone, or an interface in a zone.
If you don’t configure a Zone Protection profile that prevents non-IP
protocols in the same zone from going from one Layer 2 interface
to another, the firewall allows the traffic because of the default
intrazone allow Security policy rule. You can create a Zone Protection
profile that blocks protocols such as LLDP within
a zone to prevent discovery of networks reachable through other zone
If you need to discover which non-IP protocols are running on
your network, use monitoring tools such as NetFlow, Wireshark, or
other third-party tools discover non-IP protocols on your network.
Examples of non-IP protocols you can block or allow are LLDP, NetBEUI,
Spanning Tree, and Supervisory Control and Data Acquisition (SCADA)
systems such as Generic Object Oriented Substation Event (GOOSE), among
configure Protocol Protection for a zone. The
a block list—the firewall blocks all of the protocols you place
and allows all other
is an allow list—the
firewall allows only the protocols you specify in the list and blocks
all other protocols.
Use include lists for Protocol Protection
instead of exclude lists. Include lists specifically sanction only
the protocols you want to allow and block the protocols you don’t
need or didn’t know were on your network, which reduces the attack
surface and blocks unknown traffic.