Zone Protection for a Virtual Wire Interface
Focus
Focus

Zone Protection for a Virtual Wire Interface

Table of Contents
End-of-Life (EoL)

Zone Protection for a Virtual Wire Interface

You can provide virtual wire interfaces with zone protection; a few packet-based attack protections that are based on IP addresses don’t apply to virtual wire interfaces. In PAN-OS 8.0 and later releases, you can protect virtual wire interfaces from non-IP protocols of your choosing.
You can apply zone protection to a virtual wire interface, but because virtual wire interfaces don’t perform routing, you can’t apply Packet-Based Attack Protection to packets coming with a spoofed IP address, nor can you suppress ICMP TTL Expired error packets or ICMP Frag Needed packets.
By default, a virtual wire interface forwards all non-IP traffic it receives. However, you can apply a zone protection profile with Protocol Protection to block or allow certain non-IP protocol packets between security zones on a virtual wire.