On a firewall, zones are associated with interfaces. But within Prisma Access, the networking infrastructure is automatically set up for you. This means that you no longer need to worry about configuring interfaces and associating them with the zones your create (and, in Panorama Managed Prisma Access, the UI to configure interfaces is removed from Panorama—any unnecessary Panorama UI elements are removed in Panorama Managed Prisma Access). However, to enable consistent security policy enforcement, you must create zone mappings so that Prisma Access will know whether to associate a zone with an internal (trust) interface or an external (untrust) interface. This will ensure that your security policy rules are enforced properly. By default, all of the zones you push to Prisma Access are set to untrust. You should leave any zones associated with internet-bound traffic, including your sanctioned SaaS applications, set to untrust. However, for all zones that enable access to applications on your internal network or in your data center, you must map them to trust. Notice in the example below, all sanctioned SaaS applications—Office 365 and Salesforce in this case—are segmented into the sanctioned-saas zone to enable visibility and policy enforcement over the use of these applications. To enable Prisma Access to associate the sanctioned-saas zone with an external-facing interface, you must map this zone to untrust. Similarly, the eng-tools and dc-apps zones provide access to applications in the corporate office and you must therefore designate them as trusted zones.

When creating zones, do not use any of the following names for the zones, because these are names used for internal zones: