- Network > Network Profiles > Zone Protection > Protocol Protection
The firewall normally allows non-IP protocols between Layer 2 zones and between virtual wire zones. Protocol protection allows you to control which non-IP protocols are allowed (include) or denied (exclude) between or within security zones on a Layer 2 VLAN or virtual wire. Examples of non-IP protocols include AppleTalk, Banyan VINES, Novell, NetBEUI, and Supervisory Control and Data Acquisition (SCADA) systems such as Generic Object Oriented Substation Event (GOOSE).
After you configure protocol protection in a Zone Protection profile, apply the profile to an ingress security zone on a Layer 2 VLAN or virtual wire.
Enable Protocol Protection on internet-facing zones to prevent layer 2 traffic from protocols you don’t use from getting on your network.
Zone Protection Profile Settings—Protocol Protection
NetworkNetwork ProfilesZone ProtectionProtocol Protection
Specify the type of list you are creating for protocol protection:
Use the Include List to whitelist only the layer 2 protocols you use and to deny all other protocols. This reduces the attack surface by denying the protocols you don’t use on the network. The Exclude List is a blacklist that allows all the protocols that you don’t include on the list, and if you don’t configure Protocol Protection, all layer 2 protocols are allowed.
Enter the protocol name that corresponds to the Ethertype code you are adding to the list. The firewall does not verify that the protocol name matches the Ethertype code but the Ethertype code does determine the protocol filter.
Enable the Ethertype code on the list. If you want to disable a protocol for testing purposes but not delete it, disable it, instead.
Enter an Ethertype code (protocol) preceded by 0x to indicate hexadecimal (range is 0x0000 to 0xFFFF). A list can have a maximum of 64 Ethertypes.
Some sources of Ethertype codes are:
Protect your network against Layer 2 protocols that don’t belong on your network. ...
Use Case: Non-IP Protocol Protection Between Security Zones on Layer 2 Interfaces
Use Case: Non-IP Protocol Protection Between Security Zones on Layer 2 Interfaces In this use case, the firewall is in a Layer 2 VLAN divided ...
Use Case: Non-IP Protocol Protection Within a Security Zone on Layer 2 Interfaces
Use Case: Non-IP Protocol Protection Within a Security Zone on Layer 2 Interfaces If you don’t implement a Zone Protection profile with non-IP protocol protection, ...
Configure Protocol Protection
Configure Protocol Protection Protect virtual wire or Layer 2 security zones from non-IP protocol packets by using Protocol Protection Protect your network against Layer 2 ...
Zone Protection for a Virtual Wire Interface
You can provide virtual wire interfaces with zone protection; a few packet-based attack protections that are based on IP addresses don’t apply to virtual wire ...
Configure a Layer 2 Interface, Subinterface, and VLAN
Configure a Layer 2 Interface, Subinterface, and VLAN Configure Layer 2 Interfaces with VLANs when you want Layer 2 switching and traffic separation among VLANs. ...
Deploy DoS and Zone Protection Using Best Practices
DoS and Zone Protection deployment best practices help to ensure a smooth rollout that protects your network and your most critical servers. ...
Zone Protection Profiles
Configure protection against floods, reconnaissance, packet-based attacks, and non-IP-protocol-based attacks with Zone Protection profiles. ...
Best Practices for Securing Your Network from Layer 4 and L...
Best Practices for Securing Your Network from Layer 4 and Layer 7 Evasions To monitor and protect your network from most Layer 4 and Layer ...