Knowing how segmenting your network with zones protects
your network helps you understand the best ways to segment your
Zones not only protect your network by segmenting it
into smaller, more easily managed areas, zones also protect the
network because you can control access to zones and traffic movement
Zones prevent uncontrolled traffic from flowing through the firewall
interfaces into your network because firewall interfaces can’t process
traffic until you assign them to zones. The firewall applies zone
protection on ingress interfaces, where traffic enters the firewall
in the direction of flow from the originating client to the responding
server (c2s), to filter traffic before it enters a zone.
The firewall interface type and the zone type (Tap, virtual wire,
L2, L3, Tunnel, or External) must match, which helps to protect
the network against admitting traffic that doesn’t belong in a zone.
For example, you can assign an L2 interface to an L2 zone or an
L3 interface to an L3 zone, but you can’t assign an L2 interface
to an L3 zone.
In addition, a firewall interface can belong to one zone only.
Traffic destined for different zones can’t use the same interface,
which helps to prevent inappropriate traffic from entering a zone
and enables you to configure the protection appropriate for each
individual zone. You can connect more than one firewall interface
to a zone to increase bandwidth, but each interface can connect
to only one zone.
After the firewall admits traffic to a zone, traffic flows freely
within that zone and is not logged. The more granular you make
each zone, the greater the control you have over the traffic
that accesses each zone, and the more difficult it is for malware
to move laterally across the network between zones. Traffic can’t flow
between zones unless a security policy rule allows it and the zones
are of the same zone type (Tap, virtual wire, L2, L3, Tunnel, or
External). For example, a security policy rule can allow traffic
between two L3 zones, but not between an L3 zone and an L2 zone.
The firewall logs traffic that flows between zones when a security policy
rule permits interzone traffic.
By default, security policy rules prevent lateral movement of
traffic between zones, so malware can’t gain access to one zone
and then move freely through the network to other targets.
Tunnel zones are for non-encrypted tunnels. You can apply different
security policy rules to the tunnel content and to the zone of the
outer tunnel, as described in the Tunnel Content Inspection Overview.