So I spoke with support, and received further information. The general summation is that the loopback interfaces work differently on the VM series (virtual firewalls) as compared to hardware firewalls. The article was written for a hardware firewall.
Support explained that the loopback interface on the VM series in a cloud environment does not handle packets in the same way. The cloud provider infrastructure knows nothing of the loopback interface nor it's routing. Using a loopback interface in the VM series does not allow you to change the security zone as described in the article.
This is specifically written for a hardware firewall which can perform an internal route lookup to find which interface an IP range is attached to, and leverage proxy arp to respond to ARP requests for IP addresses configured in NAT on the interface. This technique makes the configured IP address available to outside hosts trying to reach it while not being physically configured on the interface.
VM has two part of the interface/zone configuration, one on Firewall itself and corresponding interface association in AWS side. If you just configure a loopback, AWS does not know about this interface, hence the route lookup may fail.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!