This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

When to use zone type Tunnel

cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 

When to use zone type Tunnel

Ismailsh
L1 Bithead

‎02-06-2025 07:29 AM

I am setting up a lan to lan tunnel between my palo alto firewall and another palo alto device.  When I look at the documentation online, they suggest I create a new zone and set the type to "layer3".  But I also see a type "Tunnel" in there.  I would like to understand , should I select Tunnel or Layer3 for the zone that will be applied to the VPN tunnel?

 

Below are the documents I have read from Palo Alto.  I would like to ask what have you selected as the zone type and why for VPN tunnel.

 

https://live.paloaltonetworks.com/t5/next-generation-firewall/zone-types-interface-types-tap-mode-vi...

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGkCAK

 

https://docs.paloaltonetworks.com/network-security/ipsec-vpn/administration/set-up-site-to-site-vpn/...

 

 

 

Thanks.

0 Likes Likes
2 REPLIES 2

Brandon_Wertz
L6 Presenter

‎02-06-2025 07:53 AM

@Ismailsh wrote:

I am setting up a lan to lan tunnel between my palo alto firewall and another palo alto device.  When I look at the documentation online, they suggest I create a new zone and set the type to "layer3".  But I also see a type "Tunnel" in there.  I would like to understand , should I select Tunnel or Layer3 for the zone that will be applied to the VPN tunnel?

 

Below are the documents I have read from Palo Alto.  I would like to ask what have you selected as the zone type and why for VPN tunnel.

 

https://live.paloaltonetworks.com/t5/next-generation-firewall/zone-types-interface-types-tap-mode-vi...

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGkCAK

 

https://docs.paloaltonetworks.com/network-security/ipsec-vpn/administration/set-up-site-to-site-vpn/...

 

 

 

Thanks.

At the end of your day it's about your security intent.  You have 2 locations each with their own local "LANs" or "trust" zones.  Connecting these 2 locations, how did you want to apply security policy between traffic which flows between these 2 locations?

 

If you put the tunnel in the same zone as the respective site LAN zone then you're essentially calling both sites the same security layer.  If you want to start off with a more restrictive security policy then use a new/unique security zone at each location that the tunnel will be apart of.

0 Likes Likes

Ismailsh
L1 Bithead
In response to Brandon_Wertz

‎02-06-2025 08:12 AM

Hi Brendan,

 

Thanks for the reply.  What I want to understand is what should I set the type of the zone.  Should I select layer3 or Tunnel.  What is the difference between the two?  Please see attached screenshot of the types in zone.

zone-type.jpg
Preview file
122 KB
0 Likes Likes
  • 524 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks