In a multi-vsys (Virtual System) architecture on a Palo Alto Networks firewall, communication between two virtual systems can occur internally through the firewall's backplane without requiring the traffic to exit through a physical interface to an external switch or router. To facilitate this internal routing, a specialized zone type is required.
While Layer 3 zones are used for standard routed traffic and are bound to physical or logical interfaces, the Externalzone type is specifically designed for inter-vsys communication. When an engineer configures two virtual systems to talk to one another, they must create a zone in each VSYS and set the Type toExternal.
These zones act as the logical "entry" and "exit" points for traffic crossing the VSYS boundary.
For the traffic flow to be successful, the Virtual Router in the source VSYS must have a route (typically a next-vr route) pointing to the Virtual Router in the destination VSYS. However, from a security policy perspective, the firewall sees the traffic as egressing the External zone of the source VSYS and ingressing the External zone of the destination VSYS. Without defining these zones asExternal, the firewall cannot logically associate the session with the internal backplane hand-off, and the traffic will be dropped despite having correct routing entries. This architectural requirement ensures that even internal virtual traffic remains subject to the firewall's zone-based security inspection.