Defend your zones against protocol-based attacks.
Where Can I Use
This? | What Do I Need? |
A Zone Protection profile configured for protocol protection defends your zones against non-IP
protocol-based attacks. Configure protocol protection to block or allow non-IP
protocols between your zones and interfaces. This allows you to reduce security
risks and facilitate regulatory compliance by preventing less secure protocols from
entering a zone or an interface in a zone. When you configure zone protection for
non-IP protocols on zones that have Aggregate Ethernet (AE) interfaces, you must
block or allow a non-IP protocol for all AE interface members. Enforcing non-IP
protocols for only one AE interface member isn’t supported.
By
default, the predefined intrazone-default Security
policy rule allows non-IP traffic between interfaces in the same
zone.
To configure protocol protection, you create
an Exclude List or Include List to
which you add the non-IP protocols you want to deny or allow. A
Zone Protection profile configured for protocol protection supports
an exclude list, an include list, or both in a single profile.
Protocol protection doesn’t support blocking IPv4 (EtherType 0x0800), ARP (0x0806), or
VLAN-tagged frames (0x8100). The firewall always implicitly allows these four
Ethertypes in an Include List even if you don’t
explicitly add them and doesn’t permit you to add them to an Exclude
List.