Zone Protection for a Virtual Wire Interface
You can provide virtual wire interfaces with zone protection;
a few packet-based attack protections that are based on IP addresses
don’t apply to virtual wire interfaces. In PAN-OS 8.0 and later
releases, you can protect virtual wire interfaces from non-IP protocols
of your choosing.
You can apply zone protection to a virtual wire interface,
but because virtual wire interfaces don’t perform routing, you can’t
apply
Packet-Based
Attack Protection to packets coming with a spoofed IP address,
nor can you suppress ICMP TTL Expired error packets or ICMP Frag
Needed packets.
By default, a virtual wire interface forwards all non-IP traffic
it receives. However, you can apply a zone protection profile with
Protocol
Protection to block or allow certain non-IP protocol packets
between security zones on a virtual wire.