Focus

Next-Generation Firewall

Segment Your Network for a Reduced Attack Surface

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

Cheat Sheet: Onboard NGFWs to Panorama or Strata Cloud Manager

Configure Interfaces and Zones

Segment Your Network for a Reduced Attack Surface

Learn about how to segment your network for a reduced attack surface.

Where Can I Use This?	What Do I Need?
NGFWs	No prerequisites needed

Traffic must pass through the NGFW in order for the NGFW to manage and control it. Physically, traffic enters and exits the NGFW through interfaces. The NGFW determines how to act on a packet based on whether the packet matches a Security policy rule. At the most basic level, each Security policy rule must identify where the traffic came from and where it is going.

On a Palo Alto Networks NGFWs, Security policy rules are applied between zones. A zone is a grouping of interfaces (physical or virtual) that represents a segment of your network that is connected to, and controlled by, the NGFW. Because traffic can only flow between zones if there is a Security policy rule to allow it, this is your first line of defense. The more granular the zones you create, the greater control you have over access to sensitive applications and data and the more protection you have against malware moving laterally throughout your network.

For example, you might want to segment access to the database servers that store your customer data into a zone called Customer Data. You can then define security policies that only permit certain users or groups of users to access the Customer Data zone, thereby preventing unauthorized internal or external access to the data stored in that segment.

The following diagram shows a very basic example of network segmentation using zones. The more granular you make your zones (and the corresponding security policy rules that allows traffic between zones), the more you reduce the attack surface on your network. This is because traffic can flow freely within a zone (intra-zone traffic), but traffic cannot flow between zones (inter-zone traffic) until you define a Security policy rule that allows it.

Additionally, an interface cannot process traffic until you have assigned it to a zone. Therefore, by segmenting your network into granular zones you have more control over access to sensitive applications or data and you can prevent malicious traffic from establishing a communication channel within your network, thereby reducing the likelihood of a successful attack on your network.

To start configuring zones and interfaces, click here.

Cheat Sheet: Onboard NGFWs to Panorama or Strata Cloud Manager

Configure Interfaces and Zones

Next-Generation Firewall Docs

Segment Your Network for a Reduced Attack Surface

Next-Generation Firewall Docs

Segment Your Network for a Reduced Attack Surface

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner