Security Zone Overview

Security zones are a logical way to group physical and virtual interfaces on the firewall to control and log the traffic that traverses specific interfaces on your network. An interface on the firewall must be assigned to a security zone before the interface can process traffic. A zone can have multiple interfaces of the same type assigned to it (such as tap, layer 2, or layer 3 interfaces), but an interface can belong to only one zone.

Policy rules on the firewall use security zones to identify where
the traffic comes from and where it is going. Traffic can flow freely
within a zone but traffic cannot flow between different zones until
you define a Security policy rule that allows it. To allow or deny
inter-zone traffic, Security policy rules must reference a source
zone and destination zone (not interfaces) and the zones must be
of the same type; that is, a Security policy rule can allow or deny
traffic from one Layer 2 zone only to another Layer 2 zone.