Given a network diagram, create the appropriate security zones.

Palo Alto Networks PCNSA Study Guide v10

Palo Alto firewalls use security zones to define where traffic is analyzed, controlled and logged. Zones logically group networks. Example zones are Outside, VPN, Infrastructure, Users, Extranet, Partners and Data Center.

Security zones are either interzone or intrazone and contain one or more interfaces. An interface can only be part of one zone. By default intrazone traffic is allowed. Interzone traffic is denied.

Policies are applied to zones, not interfaces. (Security, NAT, QoS, Logging)

Zone Types:

  • Tap: Zone is connected to SPAN traffic for analysis
  • Virtual Wire: creates a “bump” in the wire for traffic to be analyzed without changing the traffic.
  • Layer 2: transparent firewall mode where the interfaces participate in the L2 domain
  • Layer 3: firewall participates in routing and has IP addresses on the interfaces
  • Tunnel: Attached to a VPN interface
  • External: (ONLY available with vsys capable firewalls PA-2000 and >) special zone allows traffic between vsys.

NOTE: Zone names are case sensitive.