Question
What's a typical firewall deployment scenario for an SMB — what zones exist, what's in each, and why does this matter?
Answer
This scenario models a small-medium business (KMU): 3 zones — DMZ (public web server), Inside (file server + employee laptops), Outside (Internet) — all separated by a single zone-based firewall. The zoning idea is vendor-independent: this lab happens to use a Palo Alto PA-440 as its example device, but the same three-zone design applies to any zone-based firewall (Fortinet FortiGate, Cisco, pfSense, etc.) — an SMB does NOT need this specific model. Notably, the Inside zone holds two different subnets (a server subnet and a staff subnet) in the SAME zone, demonstrating that one zone can span multiple subnets.
* Zone topology — the Inside zone spans two subnets. *
* A 3-zone topology — two Inside subnets share one zone. *
The three zones and what they hold:
| Zone | Subnet(s) | Devices | Trust level |
|---|---|---|---|
| DMZ | 10.0.0.0/24 | Web server | Semi-trusted (publicly reachable) |
| Inside | 192.168.100.0/24 (server) + 192.168.110.0/24 (staff) | File server, employee PCs | Trusted |
| Outside | DHCP from ISP | Internet client | Untrusted |
The firewall ships with two zones pre-configured (trust/Inside and untrust/Outside); here you rename them to match the scheme and add the third zone (DMZ).
The threat model embedded in this design:
- Web server breached? Attacker is in DMZ — not the internal LAN. File server still protected. Note that the DMZ is "completely walled off": every connection in or out needs an explicit rule.
- Internet scan? Only sees what's explicitly published (the web server via DNAT). Internal subnets are unreachable.
The key teaching point — two subnets, one zone:
The file server (192.168.100.0/24) and the employee PCs (192.168.110.0/24) live in different subnets but the same Inside zone. This is deliberate: it shows that a zone is a trust grouping, not a network identifier:
"Fileserver und die Mitarbeiter-PCs sind zwar in derselben Zone, das schliesst jedoch nicht aus, zwei Subnetze zu erstellen."
Two internal networks (e.g. different departments) that need the same protection level can share one zone — which means you don't write separate rule sets for each.
Tip: Compare this to a flat home network where everything sits in one 192.168.1.0/24. This segmented design (separate DMZ, internal subnets, and an untrusted Outside) is what entry-level enterprise segmentation looks like, even at SMB scale.
Go deeper:
Network segmentation (Wikipedia) — why splitting a network into trust-based zones/subnets (DMZ, internal, untrusted Outside) limits an attacker's reach and is the security rationale behind this design.
Note saved — thanks!