We did something similar when we were waiting on a new device to be delivered. You should not have any issues with differentiating the traffic. On ours, the zones are assigned to the tunnel interface for each of the tunnels and a different zone applied to the user VPN compared to the IPSec tunnels. It really is not much different than having multiple tunnels to sites that you want different rules for each tunnel. That is a very simple answer, but when we did it, it really was not complicated at all. 1) Yes. 2) Not sure if there is a term for it. 3) It does not require a different license than the GlobalProtect license, and that might not be required depending on how you are using GP. Good luck, Bruce.
... View more