Learn how Prisma Access maps the zones in your security
policy for use in the cloud.
On a firewall, zones are associated with interfaces. But within
Prisma Access, the networking infrastructure is automatically set
up for you. This means that you no longer need to worry about configuring
interfaces and associating them with the zones your create. However,
to enable consistent security policy enforcement, you must create
zone mappings so that Prisma Access will know whether to associate
a zone with an internal (trust) interface or an external (untrust)
interface. This will ensure that your security policy rules are
enforced properly. By default, all of the zones you push to Prisma
Access are set to untrust. You should leave any zones associated
with internet-bound traffic, including your sanctioned SaaS applications,
set to untrust. However, for all zones that enable access to applications
on your internal network or in your data center, you must map them
to trust. Notice in the example below, all sanctioned SaaS applications—Office
365 and Salesforce in this case—are segmented into the sanctioned-saas
zone to enable visibility and policy enforcement over the use of
these applications. To enable Prisma Access to associate the sanctioned-saas
zone with an external-facing interface, you must map this zone to
untrust. Similarly, the eng-tools and dc-apps zones provide access
to applications in the corporate office and you must therefore designate
them as trusted zones.
When creating zones, do not use any of the following names for
the zones, because these are names used for internal zones:
trust
untrust
inter-fw
Any name you use for the remote networks (remote network
names are used as the source zone in Strata Logging Service logs)
Prisma Access logs that display a zone of inter-fw are
logs used for communication within the Prisma Access infrastructure.