>
    Strata Copilot
    Bind Zones to Sites and Devices
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma SD-WAN
    3. Prisma SD-WAN Administrator’s Guide
    4. Prisma SD-WAN Stacked Security Policies
    5. Security Policies (Original)
    6. Configure Security Policies
    7. Bind Zones to Sites and Devices
    Download PDF
    Prisma SD-WAN

    Bind Zones to Sites and Devices

    Table of Contents

    Bind Zones to Sites and Devices

    Prisma SD-WAN ZBFW allows to bind zones to sites.
    Where Can I Use This?What Do I Need?
    • Prisma SD-WAN (Managed by Strata Cloud Manager)
    • Prisma SD-WAN
    Zones bound at the site-level or the device-level to a specific interface or a subnet are bound to multiple networks at a site, including LANs, WANs, or VPNs. However, each network only attaches to one zone, and a device is bound to multiple interfaces or subnets. If a zone or device is not bound to an interface or subnet, it blocks all the traffic.
    In case of a conflict between site-level and device-level bindings, device-level bindings take priority. It is recommended to use device-level binding.
    Use site bindings to map firewall zones to interfaces and networks to attach the current security policy set to the selected site. You must bind a security policy set to a site to make its security policy rules applicable to the site and associated zones. When planning to bind sites, zones, and security policy sets, you should be aware:
    • Binding a zone to a site attaches networks to the zones for that site. A zone can have multiple networks, but a network can only have one zone.
    • Binding a security policy set to a site attaches the zone-based firewall rules to that site.
    • Binding a security policy set to a site will block all traffic not explicitly allowed by the security policy rules by default.

    Bind Zones to Devices

    Bind zones to logical Layer 3 interfaces on a device and specify separate bindings for standard VPNs. Zones bound to the interfaces:
    WAN interface types with attached WAN circuit labels:
    • Layer 3 stand-alone interfaces
    • Layer 3 sub-interfaces
    • Layer 3 PPPoE interfaces
    • Layer 3 bypass pair, where the WAN member interface is available for zone binding
    • Layer 2 bypass pair, where the WAN member interface is single for zone binding
    • Loopback bypass pairs
    Layer 3 Interfaces and Bypass pairs without a WAN circuit label:
    • Stand-alone Layer 3, where Used_for is LAN
    • Layer 3 bypass pair, where Used_for is LAN, and the LAN member interface is available for zone binding
    • Sub-interface Layer 3, where Used_for is LAN
    • Stand-alone, non-parent interface, where Used_for is NONE
    • Standard tunnel interface
    • Loopback bypass pairs
    Zones cannot be bound to the following types of interfaces:
    • Controller interfaces
    • LAN member interfaces of Layer 2 bypass pairs
    • Parent interfaces of sub-interfaces and PPPoE interfaces
    If a site has both site-level bindings and device-level bindings, the two settings’ resulting configuration is united. In the event of a conflict between site-level bindings and device-level bindings, device-level bindings take precedence.
    1. Click Map.
      Perform one of the following to search or select a site to display its configuration details.
      1. Type a site name or address in the search field.
      2. Click the right-facing arrow to display a list of existing sites.
    2. Select Options > Security Zone Binding and then once on the appropriate tab, click Bind Zone.
      Bind zones to devices from the Devices tab (zone bindings on devices override zone bindings on the site).
    3. Choose the zone name from the list of zones and Select.
    4. Choose the zone network bindings for the zone and Save.
      All VPNs are bound to a single zone. Verify that the networks you select for zone bindings are attached to an interface. A zone is bound to multiple networks, including LANs, WANs, or VPNs. However, each network is attached to one zone.
      Bind the zone to networks for a site when editing a policy set by selecting the security policy set. All VPNs are bound to a single zone and indicated as a single VPN in the Name column on the Zone Network Bindings for Zone screen. Once you have bound the zones to a site and an interface, create Security Policy Sets and Security Policy Rules for your traffic.

    © 2026 Palo Alto Networks, Inc. All rights reserved.