About AubreyCooper

@AubreyCooper, Did you ask this question last week in the GlobalProtect forum? If not, you can find the same discussion there within the past week.   In short, the only thing that would technically prevent you from doing this is if you have mixed interface types. You can't have an L3 zone with L2 interfaces or an L2 zone with L3 interfaces for example. As long as that isn't an issue in your environment, there's nothing preventing you from including all three of your interfaces in the same zone.   Now for whether or not it is a good idea or not, most people would say no. General consensus would be that you have your VPN traffic terminate on its own zone so that you have full control and visibility into what is access by users. In general from a security aspect, the more segmented you make your zones the more control you have over what goes where and you can make finer access controls.  Now to be perfectly clear, it isn't that you can't include all three interfaces in the same zone and still have a secure network. You can still override your intrazone-default policy to deny and manually build out intrazone security rulebase entries to control traffic. That generally isn't advisable because it's easier to accidently over-provision access or have traffic not getting logged when crossing the firewall. By default, PAN firewalls don't track intrazone traffic, it doesn't get logged at all, and it automatically allows the traffic. If you design things carefully you can have this be just as secure as using multiple different zones, it just generally takes more effort to do so.   ... View more