Prisma SD-WAN Administrator’s Guide
    : Bind Security Zones to Interfaces
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma SD-WAN
    4. Prisma SD-WAN Administrator’s Guide
    5. Prisma SD-WAN Stacked Security Policies
    6. Bind Security Zones to Sites and Devices
    7. Bind Security Zones to Interfaces
    Download PDF

    Prisma SD-WAN Administrator’s Guide

    Bind Security Zones to Interfaces

    Table of Contents

    Bind Security Zones to Interfaces

    Learn how to bind security zones to interfaces.
    Where Can I Use This?What Do I Need?
    • Prisma SD-WAN
    • Active Prisma SD-WAN license
    You can attach or bind security zones to individual interfaces at the device-level. Bind zones to logical Layer 3 interfaces on a device and specify separate bindings for standard VPNs. You can bind security zones to the following types of interfaces.
    WAN interface types with attached WAN circuit labels:
    • Layer 3 stand-alone interfaces
    • Layer 3 sub-interfaces
    • Layer 3 PPPoE interfaces
    • Layer 3 bypass pair, where the WAN member interface is available for zone binding
    • Layer 2 bypass pair, where the WAN member interface is single for zone binding
    • Loopback bypass pairs
    Layer 3 Interfaces and Bypass pairs without a WAN circuit label:
    • Stand-alone Layer 3, where Used_for is LAN
    • Layer 3 bypass pair, where Used_for is LAN, and the LAN member interface is available for zone binding
    • Sub-interface Layer 3, where Used_for is LAN
    • Stand-alone, non-parent interface, where Used_for is NONE
    • Standard tunnel interface
    • Loopback bypass pairs
    You cannot bind zones to the following types of interfaces:
    • Controller interfaces
    • LAN member interfaces of Layer 2 bypass pairs
    • Parent interfaces of sub-interfaces and PPPoE interfaces
    If a site has both site-level bindings and device-level bindings, the two settings’ resulting configuration is united. In the event of a conflict between site-level bindings and device-level bindings, device-level bindings take precedence.
    You can bind security zones to device interfaces either by selecting a security zone first and then binding it to a device interface or you can select the device interface first and then select a security zone for binding.
    • Select a security zone and bind it to a device interface(s).
      1. Select ManagePoliciesSecuritySecurity Zones, and select a Security Zone.
      2. From the ellipsis menu for a security zone, select View Interface Bindings.
      3. Click Element.
      4. Click Bind New Element.
      5. Select an ION device and click Submit.
      6. On the Element Zone Binding screen, select an interface(s) to bind to the zone.
      7. Click Save.
    • Select a device from a site and bind a security zone to a device interface(s).
      1. Select WorkflowsSites/Data CentersSelect a SiteConfigurationAdvancedBind Security Zones.
      2. Select Devices and click Bind Zone.
      3. Select a zone to bind and then click Done.
      4. On the Zone Networks Binding for Zone screen, select an interface(s) to bind to the zone.
      5. Click Save.

    © 2024 Palo Alto Networks, Inc. All rights reserved.