Managing Ethernet Protocols in Bridge Mode
It is possible to configure a Security Gateway with bridge interface to allow or drop protocols that are not based on IP that pass through the bridge interface. For example, protocols that are not IPv4, IPv6, or ARP.
By default, these protocols are allowed by the Security Gateway.
Frames for protocols that are not IPv4, IPv6, or ARP are allowed if:
-
On the Security Gateway, the value of the kernel parameter
fwaccept_unknown_protocol
is 1 (all frames are accepted) -
OR in the applicable
user.def
file on the Management Server, the protocol IS defined in theallowed_ethernet_protocols
table. -
AND in the applicable
user.def
file on the Management Server, the protocol is NOT defined in thedropped_ethernet_protocols
table.
To configure the Security Group to accept only specific protocols that are not IPv4, IPv6, or ARP:
Step |
Instructions |
|||
---|---|---|---|---|
1 |
On the Security Group, configure the value of the kernel parameter
|
|||
2 |
On the Management Server, edit the applicable
|
|||
3 |
In SmartConsole, install the Access Control Policy on the Security Gateway object. |