https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/pa-vm-in-azure-multiple-zones-e-g-dmz-trust-unstrust-etc/m-p/567885#M2043 <P>One of the ways I've gotten around this before was using the 'regions' feature in the objects tab. You can input a subnet as a location and 'tag' it that way so it shows up in the logs as such.</P> Fri, 01 Dec 2023 02:50:21 GMT LAYER_8 2023-12-01T02:50:21Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/pa-vm-in-azure-multiple-zones-e-g-dmz-trust-unstrust-etc/m-p/563706#M2021 <P>(sorry for the repost but the other forums/topic areas just don't ever seem to get a response when I post there and are much less active)</P> <P>&nbsp;</P> <P>In the deployment guides and conversations I've had it seems that the PA-VM firewall in Azure is typically designed around only four interfaces: trust, untrust, mgmt, HA. Two zones only: Trust/Untrust.&nbsp; Subnets used to isolate traffic.</P> <P>&nbsp;</P> <P>In my on-prem setups I've always had zones associated with either the interfaces or VLANs on those interfaces to help differentiate application of policies. I feel like it makes in plainly obvious in the policy where that traffic is coming from and going but prevents inadvertently allowing something you don't want allowed.</P> <P>&nbsp;</P> <P>I'd prefer to keep the ability to use the zones vs subnets and subnet groups. Is there a way to create another Zone for a subnet within Azure?&nbsp; I don't believe VLAN's are available in Azure so that options seems out.&nbsp; I'd like to setup a DMZ zone since that just seems more elegant to use and easier to read when looking at Policies.</P> <P>&nbsp;</P> <P>Palo support had suggested adding another interface but that doesn't seem like an option nor does it seem advisable based on what is considered a standard setup in Azure. The VM that the PA-VM runs on right now too is limited to four interfaces.</P> Tue, 31 Oct 2023 13:25:11 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/pa-vm-in-azure-multiple-zones-e-g-dmz-trust-unstrust-etc/m-p/563706#M2021 TonyDeHart 2023-10-31T13:25:11Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/pa-vm-in-azure-multiple-zones-e-g-dmz-trust-unstrust-etc/m-p/567885#M2043 <P>One of the ways I've gotten around this before was using the 'regions' feature in the objects tab. You can input a subnet as a location and 'tag' it that way so it shows up in the logs as such.</P> Fri, 01 Dec 2023 02:50:21 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/pa-vm-in-azure-multiple-zones-e-g-dmz-trust-unstrust-etc/m-p/567885#M2043 LAYER_8 2023-12-01T02:50:21Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/pa-vm-in-azure-multiple-zones-e-g-dmz-trust-unstrust-etc/m-p/568035#M2047 <P>Interesting. I'll have to explore that idea. Thank you for the suggestion!</P> Fri, 01 Dec 2023 12:43:40 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/pa-vm-in-azure-multiple-zones-e-g-dmz-trust-unstrust-etc/m-p/568035#M2047 TonyDeHart 2023-12-01T12:43:40Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/pa-vm-in-azure-multiple-zones-e-g-dmz-trust-unstrust-etc/m-p/568069#M2050 <P>There isn't much benefit from doing it this way compared to creating address groups and using them in policy besides the ACC tab. Regions show up in widgets so you can see named subnets, use them in policy, and are exposable via API for dynamic modification.&nbsp;</P> Fri, 01 Dec 2023 18:59:32 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/pa-vm-in-azure-multiple-zones-e-g-dmz-trust-unstrust-etc/m-p/568069#M2050 LAYER_8 2023-12-01T18:59:32Z