In a Zone Protection profile, Protocol Protection defends
against non-IP protocol based attacks. Enable Protocol Protection
to block or allow non-IP protocols between security zones on a Layer 2
VLAN or on a virtual wire, or between interfaces within a single
zone on a Layer 2 VLAN (Layer 3 interfaces and zones drop
non-IP protocols so non-IP Protocol Protection doesn’t apply).
Configure Protocol Protection to
reduce security risks and facilitate regulatory compliance by preventing
less secure protocols from entering a zone, or an interface in a
zone.
If you need to discover which non-IP protocols are running on
your network, use monitoring tools such as NetFlow, Wireshark, or
other third-party tools discover non-IP protocols on your network.
Examples of non-IP protocols you can block or allow are LLDP, NetBEUI,
Spanning Tree, and Supervisory Control and Data Acquisition (SCADA)
systems such as Generic Object Oriented Substation Event (GOOSE),
among many others.
Create an
Exclude List
or an
Include
List
to configure Protocol Protection for a zone. The
Exclude
List
is a block list—the firewall blocks all of the
protocols you place in the
Exclude List
and
allows all other protocols. The
Include List
is
an allow list—the firewall allows only the protocols you specify
in the list and blocks all other protocols.