Protocol Protection
Protect your network against Layer 2 protocols that don’t
belong on your network.
In a Zone Protection profile, Protocol Protection defends
against non-IP protocol based attacks. Enable Protocol Protection
to block or allow non-IP protocols between security zones on a Layer 2
VLAN or on a virtual wire, or between interfaces within a single
zone on a Layer 2 VLAN (Layer 3 interfaces and zones drop
non-IP protocols so non-IP Protocol Protection doesn’t apply).
Configure Protocol Protection to
reduce security risks and facilitate regulatory compliance by preventing
less secure protocols from entering a zone, or an interface in a
zone.
If you don’t configure a Zone Protection profile that prevents
non-IP protocols in the same zone from going from one Layer 2 interface
to another, the firewall allows the traffic because of the default
intrazone allow Security policy rule. You can create a Zone Protection
profile that
blocks protocols such as LLDP within
a zone to prevent discovery of networks reachable through other
zone interfaces.
If you need to discover which non-IP protocols are running on
your network, use monitoring tools such as NetFlow, Wireshark, or
other third-party tools discover non-IP protocols on your network.
Examples of non-IP protocols you can block or allow are LLDP, NetBEUI,
Spanning Tree, and Supervisory Control and Data Acquisition (SCADA)
systems such as Generic Object Oriented Substation Event (GOOSE),
among many others.
Create an Exclude List or an Include
List to configure Protocol Protection for a zone. The Exclude
List is a block list—the firewall blocks all of the
protocols you place in the Exclude List and
allows all other protocols. The Include List is
an allow list—the firewall allows only the protocols you specify
in the list and blocks all other protocols.
Use include lists for Protocol Protection
instead of exclude lists. Include lists specifically sanction only
the protocols you want to allow and block the protocols you don’t
need or didn’t know were on your network, which reduces the attack
surface and blocks unknown traffic.
Protocol Protection doesn’t allow blocking IPv4 (Ethertype
0x0800), IPv6 (0x86DD), ARP (0x0806), or VLAN-tagged frames (0x8100).
The firewall always implicitly allows these four Ethertypes in an Include
List even if you don’t explicitly list them and doesn’t
permit you to add them to an Exclude List.