Zone Protection for a Virtual Wire Interface
You can provide virtual wire interfaces with zone protection;
a few packet-based attack protections that are based on IP addresses
don’t apply to virtual wire interfaces. In PAN-OS 8.0 and later
releases, you can protect virtual wire interfaces from non-IP protocols
of your choosing.
You can apply zone protection to a virtual wire interface,
but because virtual wire interfaces don’t perform routing, you can’t
apply
Packet Based Attack Protection to
packets coming with a spoofed IP address, nor can you suppress ICMP
TTL Expired error packets or ICMP Frag Needed packets.
By default, a virtual wire interface forwards all non-IP traffic
it receives. However, you can apply a zone protection profile with
Protocol Protection to
block or allow certain non-IP protocol packets between security
zones on a virtual wire.