	US 12,192,171 B2
	Supporting zone-based policy enforcement for a firewall connected to a one-arm load balancer
Charles Bransi, Palo Alto, CA (US); and Steven Alsop, Meriden (GB)
Assigned to Palo Alto Networks, Inc., Santa Clara, CA (US)
Filed by Palo Alto Networks, Inc., Santa Clara, CA (US)
Filed on Sep. 16, 2021, as Appl. No. 17/447,821.
Prior Publication US 2023/0084011 A1, Mar. 16, 2023
Int. Cl. H04L 29/06 (2006.01); H04L 9/40 (2022.01); H04L 45/74 (2022.01)

CPC H04L 63/0236 (2013.01) [H04L 45/74 (2013.01); H04L 63/205 (2013.01); H04L 2212/00 (2013.01)]

20 Claims

1. A method comprising:

detecting a packet communicated during a session on a first interface of a firewall comprising the first interface and a second interface,

the first interface assigned to a first zone and the second interface assigned to a second zone different from the first zone;

after decapsulation of an outer header from the packet, performing a route lookup for a destination address included in an inner header exposed from the decapsulation,

determining an egress interface for the packet on which the packet is to exit the firewall based on a result of the route lookup;

determining a mode of deployment of the firewall for the session based on determining if the egress interface is the first interface or the second interface; and

sending the packet out on the egress interface for communication to the destination address.