Protocol Protection

Protect your network against Layer 2 protocols that don’t belong on your network.
In a Zone Protection profile, Protocol Protection defends against non-IP protocol based attacks. Enable Protocol Protection to block or allow non-IP protocols between security zones on a Layer 2 VLAN or on a virtual wire, or between interfaces within a single zone on a Layer 2 VLAN (Layer 3 interfaces and zones drop non-IP protocols so non-IP Protocol Protection doesn’t apply). Configure Protocol Protection to reduce security risks and facilitate regulatory compliance by preventing less secure protocols from entering a zone, or an interface in a zone.
If you don’t configure a Zone Protection profile that prevents non-IP protocols in the same zone from going from one Layer 2 interface to another, the firewall allows the traffic because of the default intrazone allow Security policy rule. You can create a Zone Protection profile that blocks protocols such as LLDP within a zone to prevent discovery of networks reachable through other zone interfaces.
If you need to discover which non-IP protocols are running on your network, use monitoring tools such as NetFlow, Wireshark, or other third-party tools discover non-IP protocols on your network. Examples of non-IP protocols you can block or allow are LLDP, NetBEUI, Spanning Tree, and Supervisory Control and Data Acquisition (SCADA) systems such as Generic Object Oriented Substation Event (GOOSE), among many others.
Create an Exclude List or an Include List to configure Protocol Protection for a zone. The Exclude List is a blacklist—the firewall blocks all of the protocols you place in the Exclude List and allows all other protocols. The Include List is a whitelist—the firewall allows only the protocols you specify in the list and blocks all other protocols.
Use include lists for Protocol Protection instead of exclude lists. Include lists specifically sanction only the protocols you want to allow and block the protocols you don’t need or didn’t know were on your network, which reduces the attack surface and blocks unknown traffic.
A list supports up to 64 Ethertype entries, each identified by its IEEE hexadecimal Ethertype code. Other sources of Ethertype codes are standards.ieee.org/develop/regauth/ethertype/eth.txt and http://www.cavebear.com/archive/cavebear/Ethernet/type.html. When you configure zone protection for non-IP protocols on zones that have Aggregated Ethernet (AE) interfaces, you can’t block or allow a non-IP protocol on only one AE interface member because AE interface members are treated as a group.
Protocol Protection doesn’t allow blocking IPv4 (Ethertype 0x0800), IPv6 (0x86DD), ARP (0x0806), or VLAN-tagged frames (0x8100). The firewall always implicitly allows these four Ethertypes in an Include List even if you don’t explicitly list them and doesn’t permit you to add them to an Exclude List.

Related Documentation