>
    Configure Ethernet SGT Protection
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. Zone Protection and DoS Protection
    4. Configure Zone Protection to Increase Network Security
    5. Configure Ethernet SGT Protection
    Download PDF

    Configure Ethernet SGT Protection

    Table of Contents
    End-of-Life (EoL)

    Configure Ethernet SGT Protection

    In a Cisco TrustSec network, employ Zone Protection based on dropping packets that contain specific security group tags (SGTs) in the 802.1Q header.
    Use the following task to configure an Ethernet SGT Protection profile.
    1. Create a Zone Protection profile to provide Ethernet SGT Protection.
      1. Select NetworkNetwork ProfilesZone Protection.
      2. Add a Zone Protection profile by Name.
      3. Select Ethernet SGT Protection.
      4. Add a Layer 2 SGT Exclude List by name.
      5. Enter one or more Tag values for the list; range is 0 to 65,535. You can enter individual entries that are a contiguous range of tag values (for example, 100-500). You can add up to 100 (individual or range) tag entries in an Exclude List.
      6. Enable the Layer 2 SGT Exclude List. You can disable the list at any time.
      7. Click OK.
    2. Apply the Zone Protection profile to the security zone to which the Layer 2, virtual wire, or tap interfaces belong.
      1. Select NetworkZones.
      2. Add a zone.
      3. Enter the Name of the zone.
      4. For Location, select the virtual system where the zone applies.
      5. For Type, select Layer2, Virtual Wire, or Tap.
      6. Add an Interface that belongs to the zone.
      7. For Zone Protection Profile, select the profile you created.
      8. Click OK.
    3. Commit.
    4. View the global counter of packets that the firewall dropped as a result of all Zone Protection profiles that employ Ethernet SGT Protection.
      1. Access the CLI.
      2. > show counter global name pan_flow_dos_l2_sec_tag_drop

    © 2024 Palo Alto Networks, Inc. All rights reserved.