Creating Zones (Sub-Zones) on PA-500

Showing results for 
Search instead for 
Did you mean: 

Creating Zones (Sub-Zones) on PA-500

L4 Transporter


This question might sound very stupid, but never mind: 

I have a PA-500 configured which does a specific job which does layer 3 and that requires creating a lot of zones in-order to differentiate the traffic ( as per my understanding, zones are defined for differentiating between traffic.  If my thinking is wrong, please correct me). 

Since the PA-500 can only have 20 zones and I already have 18 zones configured ( i would need more than this over the year), I was just wondering if there was any way in increasing this number by creating sub-zones (like creating sub-interfaces).

Or any sorts of work around....



L6 Presenter

Hi...Zones are used to define your network boundary and not necessary to differentiate traffic.  For example, separating users from server farm, inside vs outside vs dmz.  For multiple vlans where each vlan is an IP subnet for users, you can put all vlans on the same zone because they all are users.  Same goes for servers.   You may have some smtp servers, dns servers, & file servers and you can group them together under 1 zone.  Then you define security policies to control traffic between your users and your servers.

Thanks for the reply.  It was useful, but the only problem I would face is, the zones for me define a customer's boundary or network.  It does not necessarily mean different VLANs for me as they are completely different networks and are external. It looks like:

Client -> A

Interface -> ethernet 1/6.1001

Source Zone -> Internal

Destination Zone -> A zone

IP Address ->

Client -> B

Interface -> ethernet 1/6.1002

Source zone -> Internal

Destination Zone -> B Zone

IP Address -> 128.x.x.x/24

Based on this, I will be creating zones for all the clients I register which would run in quite a few numbers.  I can only see replacing the PA with a router or a layer 3 switch do pass the traffic onto their networks.

Any Thoughts..??



Why not create zone for 'clients', or more broadly lump them into 'untrust' depending on which network interface the clients are behind.  If the clients are all external off the internet then go with 'untrust'.

Then create address book definitions per client in the appropriate zone (ex. 'clients' or 'untrust'):

client-a-net =

client-b-net = 128.x.x.x/24

Then in your security policy permit the desired traffic to the zone and destination as appropriate.

Seems like it would work.

I think thats the more common way of using zones.

The zone is just the description of the "interface" (no matter if the interface is physical such as EthernetX/Y or logical such as VLAN123). So instead of using "ethernet1.6/200" or "vlan123" you bring this interface a useful name such as "Internet".

Which gives that your security rules looks like

src zone: Internet

dst zone: DMZ-DNS

instead of

src interface: Ethernet1.6/200

dst interface: Ethernet1.3/104

And then use address objects and address groups to further make your security rules easier to interpret when you are staring at them.

Like (already mentioned):

client-a-net =

client-b-net = 128.x.x.x/24

with group:

client-internet = client-a-net, client-b-net

And your security rule becomes:

srczone: Internet

src ip: client-internet

src port: >1023

dstzone: DMZ-DNS

dst ip: dns-servers

dst port: specific (TCP53, UDP53)

appid: dns


action: allow

Many thanks for your thoughts Guys.  I will trying doing this in a couple of days time to add in a new customer.  Will get back to you guys on this..

So, this is how I would go around configuring it (EXAMPLE):

1.  Source Zone:  Internal

2.  Destination Zone:  External

3.  Create Layer 3 Sub-Interface:  ethernet 1/6.1010 with an ip address 

4.  Add an Address object: -> Client A

5.  Create a Security rule:  From Internal zone (Any source address) -> to External Zone with Destination Address of Client A (pulled from        address object) -> any application, any service, no profiles ( as it is basically allowing routing traffic from our Wireless Controller)


You will need a 2.5: Connect zone to (physical or logical) interface.

And personally I would apply a protection profile even for the wireless users 🙂

Oh yes, connecting the zone to physical or logical interface.  With respect to security profiles, we have another firewall doing filtering as this Palo Alto in question is doing content filtering on virtual wire mode for internal users and L3 routing.  Smiley Happy

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!