Traffic must pass through the firewall in order for
the firewall to manage and control it. Physically, traffic enters
and exits the firewall through
interfaces. The firewall
determines how to act on a packet based on whether the packet matches
a
Security policy rule. At the most basic level, each
Security policy rule must identify where the traffic came from and
where it is going. On a Palo Alto Networks next-generation firewall, Security
policy rules are applied between zones. A
zone is a
grouping of interfaces (physical or virtual) that represents a segment
of your network that is connected to, and controlled by, the firewall.
Because traffic can only flow between zones if there is a Security
policy rule to allow it, this is your first line of defense. The
more granular the zones you create, the greater control you have over
access to sensitive applications and data and the more protection
you have against malware moving laterally throughout your network.
For example, you might want to segment access to the database servers
that store your customer data into a zone called Customer Data.
You can then define security policies that only permit certain users
or groups of users to access the Customer Data zone, thereby preventing
unauthorized internal or external access to the data stored in that segment.