Managing Ethernet Protocols in Bridge Mode

It is possible to configure a Security Gateway with bridge interface to allow or drop protocols that are not based on IP that pass through the bridge interface. For example, protocols that are not IPv4, IPv6, or ARP.

By default, these protocols are allowed by the Security Gateway.

Frames for protocols that are not IPv4, IPv6, or ARP are allowed if:

  • On the Security Gateway, the value of the kernel parameter fwaccept_unknown_protocol is 1 (all frames are accepted)

  • OR in the applicable user.def file on the Management Server, the protocol IS defined in the allowed_ethernet_protocols table.

  • AND in the applicable user.def file on the Management Server, the protocol is NOT defined in the dropped_ethernet_protocols table.

To configure the Security Group to accept only specific protocols that are not IPv4, IPv6, or ARP:

Step

Instructions

1

On the Security Group, configure the value of the kernel parameter fwaccept_unknown_protocol to 0.

  1. Connect to the command line on the Security Group.

  2. Log in to the Expert mode.

  3. Configure the value of the kernel parameter fwaccept_unknown_protocol to 0:

    g_update_conf_file fwkern.conf fwaccept_unknown_protocol=0

  4. Reboot the Security Group.

    If the reboot is not possible at this time, then:

    • Run this command to make the required change:

      g_fw ctl set int fwaccept_unknown_protocol 0

    • Run this command to make sure the required change was accepted:

      g_fw ctl get int fwaccept_unknown_protocol

2

On the Management Server, edit the applicable user.def file.

Note - For the list of user.def files, see sk98239.

  1. Back up the current applicable user.def file.

  2. Edit the current applicable user.def file.

  3. Add these directives:

    • allowed_ethernet_protocols - contains the EtherType numbers (in Hex) of protocols to accept

    • dropped_ethernet_protocols - contains the EtherType numbers (in Hex) of protocols to drop

    $ifndef __user_def__
$define __user_def__
  
\\ 
\\ User defined INSPECT code
\\ 
  
allowed_ethernet_protocols={ <0x0800,0x86DD,0x0806>);dropped_ethernet_protocols={ <0x8137,0x8847,0x9100> );
  
endif /*__user_def__*/

    For the list of EtherType numbers, see http://standards-oui.ieee.org/ethertype/eth.csv.

  4. Save the changes in the file and exit the editor.

3

In SmartConsole, install the Access Control Policy on the Security Gateway object.