Protocol Protection in Palo Alto Networks firewalls defends against non-IP protocol-based attacks by allowing or blocking specific Layer 2 protocols between security zones. This feature is particularly useful in environments utilizing Layer 2 VLANs or virtual wire deployments.
You can configure Protocol Protection using either an Include List (allow only specified protocols) or an Exclude List (block specified protocols). Each list supports up to 64 Ethertype entries, identified by their IEEE hexadecimal Ethertype codes.
For more details, refer to the official documentation: Protocol Protection - Palo Alto Networks .
show zone-protection zone <zone-name>Displays the configuration of the specified Zone Protection Profile, including Protocol Protection settings.
show counter global filter severity dropShows global counters for dropped packets, which can help identify packets dropped due to Protocol Protection.
set system setting additional-threat-log onEnables logging for various packet-based attacks, including those dropped by Protocol Protection mechanisms.
Navigate to Monitor > Logs > Threat .
Apply the following filter to view protocol protection events:
( subtype eq 'packet' )This displays logs where packet-based attack protection mechanisms, including Protocol Protection, were triggered.
Navigate to Network > Network Profiles > Zone Protection .
Select the relevant profile and review the Protocol Protection settings to ensure appropriate protocols are allowed or blocked.