End-of-Life (EoL)
The following topics describe network security zones.
What do you want to know? See:
What is the purpose of a security zone? Security Zone Overview
What are the fields available to configure security zones? Building Blocks of Security Zones
Looking for more? Segment Your Network Using Interfaces and Zones
Security Zone Overview
Security zones are a logical way to group physical and virtual interfaces on the firewall in order to control and log the traffic that traverses (through these interface on) your network. An interface on the firewall must be assigned to a security zone before the interface can process traffic. A zone can have multiple interfaces of the same type (for example, tap, layer 2 or layer 3 interfaces) assigned to it, but an interface can belong to only one zone.
Policy rules on the firewall use security zones to identify where the traffic comes from and where it is going. Traffic can flow freely within a zone, but traffic will not be able to flow between different zones until you define a security policy rule that allows it. For inter-zone traffic, security policy rules must reference a source zone and destination zone (not interfaces) to allow or deny traffic. The zones must be of the same type, that is, a security policy rule can allow or deny traffic from one Layer 2 zone to another Layer 2 zone only.
Building Blocks of Security Zones
To define a security zone, click Add and specify the following information.
Security Zone Setting Description
Name Enter a zone name (up to 31 characters). This name appears in the list of zones when defining security policies and configuring interfaces. The name is case-sensitive and must be unique within the virtual router. Use only letters, numbers, spaces, hyphens, periods, and underscores.
Location This field is present only if the firewall supports multiple virtual systems (vsys) and that capability is enabled. Select the vsys to which this zone applies.
Type Select a zone type ( Tap, Virtual Wire, Layer2, Layer3, or External) to view all the Interfaces of that type that have not been assigned to a zone. The Layer 2 and Layer 3 zone types list all Ethernet interfaces and subinterfaces of that type. Add the interfaces that you want to assign to the zone. The External zone is used to control traffic between multiple virtual systems on a single firewall. It displays only on firewalls that support multiple virtual systems and only if the Multi Virtual System Capability is enabled. For information on external zones, see Inter-VSYS Traffic that Remains Within the Firewall . An interface can belong to only one zone in one virtual system.
Service Profile Zone for NSX ( VM-Series NSX edition firewalls only ) On Panorama, select this option to create one or more zones within a template that is used to deploy the VM-Series NSX edition firewall. When you select this option, Panorama automatically generates a pair of subinterfaces configured in a virtual wire and then pushes the pair to the VM-Series firewalls included in the template. On a Panorama commit, this zone becomes available as a service profile on the NSX Manager. You can use the service profile on the NSX Manager user interface to redirect traffic to the VM-Series firewalls that are configured with this zone. Before you select Service Profile Zone for NSX, make sure you select the correct template in the Template drop-down. The template name must match the name you specified in the VMware Service Definitions ( Panorama > VMware Service Manager). The virtual wire subinterfaces that are automatically created are not displayed under Network > Interfaces on the VM-Series firewall or on Panorama. You cannot manually select or assign the interfaces to the Service Profile Zone for NSX. Panorama creates a pair of subinterfaces that are configured in a virtual wire and assigns them to the zone. To enforce policy, you must use the same zone name as the source zone and the destination zone in a security policy prerule on Panorama. For more information, see Set Up the VM-Series NSX Edition Firewall .
Interfaces Add one or more interfaces to this zone.
Zone Protection Profiles Select a profile that specifies how the security gateway responds to attacks from this zone. To create a new profile, refer to Network > Network Profiles > Zone Protection.
Log Setting Select a Log Forwarding profile for forwarding zone protection logs to an external system. If you have a Log Forwarding profile named default, that profile will be automatically selected for this drop-down when defining a new security zone. You can override this default setting at any time by continuing to select a different Log Forwarding profile when setting up a new security zone. To define or add a new Log Forwarding profile (and to name a profile default so that this drop-down is populated automatically), click New (refer to Objects > Log Forwarding). If you are configuring the zone in a Panorama template, the Log Setting drop-down lists only shared Log Forwarding profiles; to specify a non-shared profile, you must type its name.
Enable User Identification If you configured User-ID™ to perform IP address-to-username mapping (discovery), select this option to apply the mapping information to traffic in this zone. If you disable this option, firewall logs, reports, and policies will exclude user mapping information for traffic within the zone. By default, if you select this option, the firewall applies user mapping information to the traffic of all subnetworks in the zone. To limit the information to specific subnetworks within the zone, use the Include List and Exclude List. User-ID performs discovery for the zone only if it falls within the network range that User-ID monitors. If the zone is outside that range, the firewall does not apply user mapping information to the zone traffic even if you select Enable User Identification. For details, see Define Subnetworks to Include/Exclude for User Mapping. Enable User-ID on trusted zones only. If you enable User-ID and client probing on an external untrusted zone (such as the internet), probes could be sent outside your protected network, resulting in an information disclosure of the User-ID agent service account name, domain name, and encrypted password hash, which could allow an attacker to gain unauthorized access to protected resources.
User Identification ACL Include List By default, if you do not specify subnetworks in this list, the firewall applies the user mapping information it discovers to all the traffic of this zone for use in logs, reports, and policies. To limit the application of user mapping information to specific subnetworks within the zone, then for each subnetwork click Add and select an address (or address group) object or type the IP address range (for example, The exclusion of all other subnetworks is implicit—you do not need to add them to the Exclude List. Add entries to the Exclude List only to exclude user mapping information for a subset of the subnetworks in the Include List. For example, if you add to the Include List and add to the Exclude List, the firewall includes user mapping information for all the zone subnetworks of except, and excludes information for all zone subnetworks outside of Note that you can only include subnetworks that fall within the network range that User-ID monitors. For details, see Define Subnetworks to Include/Exclude for User Mapping.
User Identification ACL Exclude List To exclude user mapping information for a subset of the subnetworks in the Include List, for each subnetwork to exclude, click Add and select an address (or address group) object or type the IP address range. If you add entries to the Exclude List but not the Include List, the firewall excludes user mapping information for all subnetworks within the zone, not just the subnetworks you added.

Recommended For You