The communication desired in the use case above is achieved
by configuring security policies that point to or from an
An external zone is a security object that is associated with a
specific virtual system that it can reach; the zone is external
to the virtual system. A virtual system can have only one external
zone, regardless of how many security zones the virtual system has
within it. External zones are required to allow traffic between
zones in different virtual systems, without the traffic leaving
The virtual system administrator configures the security policies
needed to allow traffic between two virtual systems. Unlike security
zones, an external zone is not associated with an interface; it
is associated with a virtual system. The security policy allows
or denies traffic between the security (internal) zone and the external zone.
Because external zones do not have interfaces or IP addresses
associated with them, some zone protection profiles are not supported
on external zones.
Remember that each virtual system is a separate instance of a
firewall, which means that each packet moving between virtual systems
is inspected for security policy and App-ID evaluation.