Knowing how segmenting your network with zones protects
your network helps you understand the best ways to segment your
Zones not only protect your network by segmenting it
into smaller, more easily managed areas, zones also protect the
network because you can control access to zones and traffic movement
Zones prevent uncontrolled traffic from flowing through the firewall
interfaces into your network because firewall interfaces can’t process
traffic until you assign them to zones. The firewall applies zone
protection on ingress interfaces, where traffic enters the firewall
in the direction of flow from the originating client to the responding
server (c2s), to filter traffic before it enters a zone.
The firewall interface type and the zone type (Tap, virtual wire,
L2, L3, Tunnel, or External) must match, which helps to protect the
network against admitting traffic that doesn’t belong in a zone.
For example, you can assign an L2 interface to an L2 zone or an L3
interface to an L3 zone, but you can’t assign an L2 interface to
an L3 zone.
In addition, a firewall interface can belong to one zone only.
Traffic destined for different zones can’t use the same interface, which
helps to prevent inappropriate traffic from entering a zone and
enables you to configure the protection appropriate for each individual
zone. You can connect more than one firewall interface to a zone
to increase bandwidth, but each interface can connect to only one
After the firewall admits traffic to a zone, traffic flows freely
within that zone and is not logged. The more granular you make
each zone, the greater the control you have over the traffic
that accesses each zone, and the more difficult it is for malware
to move laterally across the network between zones. Traffic can’t
flow between zones unless a security policy rule allows it and the
zones are of the same zone type (Tap, virtual wire, L2, L3, Tunnel,
or External). For example, a security policy rule can allow traffic
between two L3 zones, but not between an L3 zone and an L2 zone.
The firewall logs traffic that flows between zones when a security
policy rule permits interzone traffic.
By default, security policy rules prevent lateral movement of
traffic between zones, so malware can’t gain access to one zone and
then move freely through the network to other targets.
Tunnel zones are for non-encrypted tunnels. You can apply
different security policy rules to the tunnel content and to the
zone of the outer tunnel, as described in the Tunnel Content Inspection Overview.