>
    Configure Ethernet SGT Protection
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Set Up Firewalls
    4. Zone Protection and DoS Protection
    5. Configure a Zone Protection Profile to Increase Network Security
    6. Configure Ethernet SGT Protection
    Download PDF
    Next-Generation Firewall

    Configure Ethernet SGT Protection

    Table of Contents

    Configure Ethernet SGT Protection

    Configure 802.1Q header inspection when your firewall is part of a Cisco TrustSec network.
    Contact your account team to enable Cloud Management for NGFWs using Strata Cloud Manager.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by Strata Cloud Manager)
    • VM-Series, funded with Software NGFW Credits
    • AIOps for NGFW Premium license (use the Strata Cloud Manager app)
    In a Cisco TrustSec network, a Cisco Identity Services Engine (ISE) assigns a Layer 2 Security Group Tag (SGT) of 16 bits to a user or endpoint session. When your firewall is part of a Cisco TrustSec network, the firewall needs to support the TrustSec 802.1Q header to do content inspection. A Zone Protection profile with Ethernet SGT protection configured allows the firewall to inspect headers with 802.1Q (EtherType 0x8909) for specific Layer 2 Security Group Tag (SGT) values and drop the packet if the SGT matches the list you configure for the Zone Protection profile attached to the interface. With a Zone Protection profile configured for Ethernet SGT protection, you can specify which SGT values you want to deny access to a zone.
    1. Log in to Strata Cloud Manager.
    2. Select ManageConfigurationNGFW and Prisma AccessSecurity ServicesDoS Protection and select the Configuration Scope where you want to create the Zone Protection profile.
      You can select a folder or firewall from your Folders or select Snippets to configure the Zone Protection profile in a snippet.
    3. Navigate to the Zone Protection Profiles and Add Profile.
    4. Enter a descriptive Name.
    5. (Optional) Enter a Description.
    6. Select Ethernet SGT.
    7. Add a Layer 2 SGT Exclude List by name.
    8. Enter one or more Tag values for the list.
      Range is 0 to 65,535. You can enter individual entries that are a contiguous range of tag values (for example, 100-500). You can add up to 100 (individual or range) tag entries in an Exclude List.
    9. Enable the Layer 2 SGT Exclude List.
      Layer 2 SGT Exclude Lists are enabled by default when added.
      You can modify an existing Zone Protection profile to disable a specific Layer 2 SGT Exclude List from enforcement.
    10. Save.

    © 2024 Palo Alto Networks, Inc. All rights reserved.