Security Group Tag (SGT) Ethertype Support

If you're using Security Group Tags (SGTs) in a Cisco Trustsec network, PAN-OS 9.0 firewalls deployed inline in Layer 2 or Virtual Wire mode can inspect and enforce the tagged traffic.
If you're using Security Group Tags (SGTs) to control user and device access in a Cisco Trustsec network, inline firewalls in Layer 2 or Virtual Wire mode can now inspect and provide threat prevention for the tagged traffic. Before PAN-OS 9.0, a firewall in Layer 2 or virtual wire mode could allow SGT traffic but did not process it. Now, processing of SGT traffic works by default and without any configuration changes.
It’s important to note that the firewall does not use SGTs as match criteria for security policy enforcement—you should continue to define SGT-based policy in the same way you do today.
Best practices for deploying Palo Alto Networks firewalls in a Cisco Trustsec network include:
  • Deploy firewalls that you expect to process SGT packets in either Layer 2 or virtual wire mode.
  • It’s not recommended to deploy firewalls that might process SGT packets in Layer 3 mode. However, if you need to use a Layer 3 firewall in a Cisco Trustsec network:
    • Deploy the Layer 3 firewall between two SGT exchange protocol (SXP) peers.
    • Configure the firewall to allow the traffic between the SXP peers.

Related Documentation