Zones not only protect your network by segmenting it
into smaller, more easily controlled areas, zones also protect the
network because you can control access to zones and traffic movement
Zones prevent uncontrolled traffic from flowing through the firewall
interfaces into your network because firewall interfaces can’t process
traffic until you assign them to zones. The firewall applies zone
protection on ingress interfaces, where traffic enters the firewall
in the direction of flow from the originating client to the responding
server (c2s), to filter traffic before it enters a zone.
The firewall interface type and the zone type (Tap, virtual wire,
L2, L3, Tunnel, or External) must match, which helps to protect
the network against admitting traffic that doesn’t belong in a zone.
For example, you can assign an L2 interface to an L2 zone or an
L3 interface to an L3 zone, but you can’t assign an L2 interface
to an L3 zone.
In addition, a firewall interface can belong to one zone only.
Traffic destined for different zones can’t use the same interface,
which helps to prevent inappropriate traffic from entering a zone
and enables you to configure the protection appropriate for each
individual zone. You can connect more than one firewall interface
to a zone to increase bandwidth, but each interface can connect
to only one zone.
After the firewall admits traffic to a zone, traffic flows freely
within that zone and is not logged. The smaller you make each zone,
the greater the control you have over the traffic that accesses
each zone, and the more difficult it is for malware to move laterally
across the network between zones. Traffic can’t flow between zones
unless a security policy rule allows it and the zones are of the
same zone type (Tap, virtual wire, L2, L3, Tunnel, or External).
For example, a security policy rule can allow traffic between two
L3 zones, but not between an L3 zone and an L2 zone. The firewall
logs traffic that flows between zones when a security policy rule
permits interzone traffic.
By default, security policy rules prevent lateral movement of
traffic between zones, so malware can’t gain access to one zone
and then move freely through the network to other targets.
Tunnel zones are for non-encrypted tunnels. You can apply
different security policy rules to the tunnel content and to the
zone of the outer tunnel, as described in the Tunnel Content Inspection Overview.