Security Group Tag (SGT) Ethertype Support
If you're using Security Group Tags (SGTs) in a Cisco Trustsec network, PAN-OS 9.0 firewalls deployed inline in Layer 2 or Virtual Wire mode can inspect and enforce the tagged traffic.
If you're using Security Group Tags (SGTs) to control user and device access in a Cisco Trustsec network, inline firewalls in Layer 2 or Virtual Wire mode can now inspect and provide threat prevention for the tagged traffic. Before PAN-OS 9.0, a firewall in Layer 2 or virtual wire mode could allow SGT traffic but did not process it. Now, processing of SGT traffic works by default and without any configuration changes.
It’s important to note that the firewall does not use SGTs as match criteria for security policy enforcement—you should continue to define SGT-based policy in the same way you do today.
Best practices for deploying Palo Alto Networks firewalls in a Cisco Trustsec network include:
- It’s not recommended to deploy firewalls that might process SGT packets in Layer 3 mode. However, if you need to use a Layer 3 firewall in a Cisco Trustsec network:
- Deploy the Layer 3 firewall between two SGT exchange protocol (SXP) peers.
- Configure the firewall to allow the traffic between the SXP peers.
Layer 3 Interfaces
Layer 3 Interfaces In a Layer 3 deployment, the firewall routes traffic between multiple ports. Before you can Configure Layer 3 Interfaces , you must ...
Layer 2 Interfaces
Layer 2 Interfaces In a Layer 2 deployment, the firewall provides switching between two or more networks. Devices are connected to a Layer 2 segment; ...
Virtual Wire Interfaces
Virtual wires bind two interfaces within a firewall, allowing you to easily install a firewall into a topology that requires no switching or routing by ...
Protocol Protection Network > Network Profiles > Zone Protection > Protocol Protection The firewall normally allows non-IP protocols between Layer 2 zones and between virtual ...
Describes all the exciting new capabilities in PAN-OS® 9.0 for the VM-Series firewall. ...
Endpoint Monitoring in Cisco ACI
Endpoint Monitoring in Cisco ACI The Cisco ACI plugin for Panorama allows you to build security policy for your Cisco ACI fabric using Dynamic Address ...