How Do Zones Protect the Network?

Zones not only protect your network by segmenting it into smaller, more easily controlled areas, zones also protect the network because you can control access to zones and traffic movement between zones.
Zones prevent uncontrolled traffic from flowing through the firewall interfaces into your network because firewall interfaces can’t process traffic until you assign them to zones. The firewall applies zone protection on ingress interfaces, where traffic enters the firewall in the direction of flow from the originating client to the responding server (c2s), to filter traffic before it enters a zone.
The firewall interface type and the zone type (Tap, virtual wire, L2, L3, Tunnel, or External) must match, which helps to protect the network against admitting traffic that doesn’t belong in a zone. For example, you can assign an L2 interface to an L2 zone or an L3 interface to an L3 zone, but you can’t assign an L2 interface to an L3 zone.
In addition, a firewall interface can belong to one zone only. Traffic destined for different zones can’t use the same interface, which helps to prevent inappropriate traffic from entering a zone and enables you to configure the protection appropriate for each individual zone. You can connect more than one firewall interface to a zone to increase bandwidth, but each interface can connect to only one zone.
After the firewall admits traffic to a zone, traffic flows freely within that zone and is not logged. The smaller you make each zone, the greater the control you have over the traffic that accesses each zone, and the more difficult it is for malware to move laterally across the network between zones. Traffic can’t flow between zones unless a security policy rule allows it and the zones are of the same zone type (Tap, virtual wire, L2, L3, Tunnel, or External). For example, a security policy rule can allow traffic between two L3 zones, but not between an L3 zone and an L2 zone. The firewall logs traffic that flows between zones when a security policy rule permits interzone traffic.
By default, security policy rules prevent lateral movement of traffic between zones, so malware can’t gain access to one zone and then move freely through the network to other targets.
Tunnel zones are for non-encrypted tunnels. You can apply different security policy rules to the tunnel content and to the zone of the outer tunnel, as described in the Tunnel Content Inspection Overview.

Related Documentation