How Do Zones Protect the Network?

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)

Network Segmentation Using Zones

Configure a Zone Protection Profile to Increase Network Security

How Do Zones Protect the Network?

Segmenting your network with zones protects your network helps you understand the best ways to segment your network.

Contact your account team to enable Cloud Management for NGFWs using Strata Cloud Manager.

Where Can I Use This?	What Do I Need?
NGFW, including those funded by Software NGFW Credits	One of these: AIOps for NGFW Premium or Strata Cloud Manager Pro Strata Cloud Manager Essentials (Supports only NGFWs)

Zones protect your network by segmenting it into smaller, more easily managed areas. Zones also protect the network by allowing you to control access to zones and traffic movement between zones.

Zones prevent uncontrolled traffic from flowing through the firewall interfaces into your network because firewall interfaces can’t process traffic until you assign them to zones. The firewall applies zone protection on ingress interfaces, where traffic enters the firewall in the direction of flow from the originating client to the responding server (c2s), to filter traffic before it enters a zone.

The firewall interface type and the zone type (Layer 2 or Layer 3) must match, which helps to protect the network against admitting traffic that doesn’t belong in a zone. For example, you can assign a Layer 2 interface to a Layer 2 zone or a Layer 3 interface to a Layer 3 zone, but assigning a Layer 2 interface to a Layer 3 zone isn’t supported.

In addition, a firewall interface can belong to one zone only. Traffic destined for different zones can’t use the same interface, which helps to prevent inappropriate traffic from entering a zone and enables you to configure the protection appropriate for each individual zone. You can connect more than one firewall interface to a zone to increase bandwidth, but each interface can connect to only one zone.

After the firewall admits traffic to a zone, traffic flows freely within that zone and isn’t logged. The more granular you make the zones, the greater the control you have over the traffic that accesses each zone, and the more difficult it is for malware to move laterally across the network between zones. Traffic can’t flow between zones unless a Security policy rule allows it and the zones are of the same zone type (Layer 2 or Layer 3). For example, a Security policy rule can allow traffic between two Layer 3 zones, but not between a Layer 3 zone and a Layer 2 zone. The firewall logs traffic that flows between zones when a Security policy rule permits interzone traffic.

By default, Security policy rules prevent lateral movement of traffic between zones, so malware can’t gain access to one zone and then move freely through the network to other targets.

Network Segmentation Using Zones

Configure a Zone Protection Profile to Increase Network Security

Next-Generation Firewall Docs

How Do Zones Protect the Network?

Next-Generation Firewall Docs

How Do Zones Protect the Network?

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner