>
    Strata Copilot
    Prisma SD-WAN ZBFW
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma SD-WAN
    3. Prisma SD-WAN Administrator’s Guide
    4. Prisma SD-WAN Stacked Security Policies
    5. Security Policies (Original)
    6. Prisma SD-WAN ZBFW
    Download PDF
    Prisma SD-WAN

    Prisma SD-WAN ZBFW

    Table of Contents

    Prisma SD-WAN ZBFW

    Prisma SD-WAN Application Fabric includes an in-built security solution called the Zone-Based Firewall (ZBFW).
    Where Can I Use This?What Do I Need?
    • Prisma SD-WAN (Managed by Strata Cloud Manager)
    • Prisma SD-WAN
    The zone-based firewall (ZBFW) is designed to create, manage, and enforce security policies and propagate those policies to all branch sites without using fragmented rules or managing security at an individual device-level. It is a lightweight security solution for securing the WAN perimeter and segmenting traffic within a branch site.
    • Securing the Perimeter—ION hardware and virtual devices include an application-aware, stateful, zone-based firewall to protect internet connections in the remote office. With the ION device, application-aware policies are defined that specify what is allowed into and out of the remote location, giving the administrator explicit control to secure the perimeter. Additionally, AppFabric is centrally managed through the cloud-delivered and deploys hardware, software, and storage to support the management and monitoring infrastructure.
    • Segment Traffic in the BranchPrisma SD-WAN uses the concept of zones and prefix filters within ZBFW rules to isolate and segment traffic in the branch.
    • Prepare to Configure ZBFW—To prepare for securing the network, conduct preliminary planning and evaluation of your environment.

    ZBFW Contructs

    ZBFW constructs include applications, prefix filters, zones, security policy sets, security policy rules, and actions. The information specified for these constructs defines the security policy you want to implement.

    ZBFW Application

    Applications are the core element of the ZBFW solution for controlling network traffic and implementing security policies. You use the same application definitions and fingerprinting technologies for security policies for path selection and quality of service (QoS) in network policy definition.

    ZBFW Prefix Filters

    Prefix filters specify a group of one or more individual IP addresses or IP address subnets. With security policies, prefix filters restrict access within a branch and filter out traffic to specific IP addresses within the particular source and destination zones. As with application definitions, you can reuse prefix filters across the rules and policy sets you have created for security policy rules.
    • Global prefix filters use the same set of prefixes. By applying the global prefix filters defined for custom applications, leverage the security policy application definition.
    • Local prefix filters use branch location. They enable you to address site-specific scenarios where devices in a specific zone such as a guest zone.
    Local filters allow administrators to create a single policy across all sites to describe application behavior, eliminating the need to develop individual policies on a per-site basis. It automatically populates the prefix values for the specific branch location and notifies the administrator to settle deals for local prefix filters as needed, if you add a new branch, simplify policy administration, and reduce the number of rules that need to be configured and managed.

    ZBFW Zones

    Zones specify enforcement boundaries where traffic subject to inspection and filtering. Each zone maps to networks attached to physical interfaces, logical interfaces, or sub-interfaces of a device. These zone-level interfaces serve as a proxy for physical circuits and virtual circuits, such as VLAN, Layer 3 VPN, and Layer 2 VPN circuits. You can manage and secure every interface in a zone independently.
    • Allow or deny every interface in zone access to other zones within an enterprise network.
    • Segregate interface traffic by blocking all access not explicitly allowed by the security policies of an enterprise.
    • Isolate networks that have private or secure information by restricting access to it from public networks.
    An area includes source and destination zones with network IDs for a site and is associated with one or more WAN, LAN, or VPN. Attach a zone to multiple networks, but each network type LAN, WAN, or VPN would be connected to one location.
    Typically, most organizations create three to four zones to segregate traffic using the model’s guest zone, one or more corporate LAN zones, an outside zone for internet underlay, and a corporate WAN zone for private WAN and VPN over the internet or private WAN.
    Define the network segments that allow or restricts the application access to control traffic between LAN or between LAN and WAN and, through site bindings, bind zones to the appropriate LAN and WAN interfaces at each site.
    In Security Policy rules, specify the source and destination zones to which the rule applies. You must establish one or more source and destination zones for each security rule to configure. The source zone identifies the network from where traffic originates and the destination zone identifies the destination traffic of the network.

    Security Policy Rules

    A security policy rule specifies the handling of application traffic between zones in a branch office. For each security policy rule, define source and destination zones, the applications to which the rule applies, optional prefix filters, and the appropriate action.
    By default, three security policy rules add to the end of every security policy set. These default policy rules provide a basic framework for handling network traffic and cannot be edited or deleted.
    If you don’t configure any security policy rules of your own, the following default security policy rules are applied:
    • Default—Denies all traffic from any source zone to any destination zone.
    • Self-Zone—Allows any traffic generated by the ION or destined to the ION on trusted L3 interfaces (L3 LAN, controller, or L3 private WAN interfaces). For an untrusted interface (L3 public WAN), only traffic initiated by the ION untrusted interface permits by this rule; unsolicited inbound traffic to a public WAN port drops by default regardless of ZBFW policy and zones applied.
    • Intra-Zone—Allows any traffic within the same zone.
    The new rules take precedence over the default rules and control how rules evaluate by specifying the ruling order.
    There is no limit on the number of security policy rules added to the network configuration.

    Security Policy Sets

    A security policy set provides a common administrative domain for a group of security policy rules applied to designated sites. Each security policy set is attached—or bound—to one or more areas and contains the collection of individual security rules that applies to those sites.
    By default, each security policy set has three default security policy rules. You can add security policy rules to a set to customize the traffic allowed, denied, or rejected from any source or destination zone in a site. You bind security policy sets to sites to map the firewall zones that specify interfaces and network segments and apply the associated security rules to the selected location.

    ZBFW Actions

    Prisma SD-WAN ZBFW supports the action to allow, deny, or reject traffic based on the security intent of the enterprise.
    • Allow—Traffic that matches this rule is permitted.
    • Deny—Traffic that matches this rule is dropped with no RESET or ICMP HOST UNREACHABLE message sent to the client or server.
    • Reject—TCP traffic that matches this rule sends a RESET message to both the client and the server.

    © 2026 Palo Alto Networks, Inc. All rights reserved.