>
    Strata Copilot
    Create and Manage Process Zones
    Focus
    Download PDF
    Focus
    1. Home
    2. Device Security
    3. Device Security Administration Guide
    4. Discover IoT Devices and Take Inventory
    5. Network Visualizations
    6. Create and Manage Process Zones
    Download PDF
    Device Security

    Create and Manage Process Zones

    Table of Contents

    Create and Manage Process Zones

    Group operational technology devices into process zones from a network visualization map, edit zone membership, delete zones you no longer need, and use assisted recommendations and criticality settings to refine your segmentation.
    Where Can I Use This?What Do I Need?
    • Device Security (Managed by Strata Cloud Manager)
    • OT Device Security subscription
    You manage process zones from a network visualization map. Before you begin, create a visualization map that contains the OT devices you want to group.
    When you create a new visualization map, you select a network (subnet or VLAN) and launch the workflow to create and manage process zones. While you need to create a process zone from a visualization map, you do not need to set Process Zone as part of the visualization map's Device Grouping in order to create or edit a process zone. It is easier to edit existing process zones and edit the process zone assignments for devices by using a visualization map with Device Grouping set to Process Zone. The instructions to create and manage process zones assume you are working from a network visualization with Process Zones as the primary method for Device Grouping, unless otherwise stated.

    Create a Process Zone

    Create a Process Zone
    Follow these steps to group OT devices on a visualization map into a new process zone.
    1. From a network visualization map, click a group node to open its information panel, and then click Create Process Zone to open the create process zone workflow.
    2. Select the devices to include in the zone.
      You can select devices in any of these ways:
      • Use the Select Devices dropdown to search for a device by name and add it to the selection.
      • Click individual device nodes on the canvas to add them to the selection. When you click a device node, it also displays a list where you can select neighbor nodes.
      • From Select Neighbor Nodes, select all or select individual devices connected to the current device to add them to the selection.
    3. Search for and select a Zone Name to assign the selected devices to a process zone.
      Entering a name that doesn't already exist gives you the option to create a new process zone.
    4. Preview the new zone on the canvas to verify the grouped devices.
    5. Click Continue.
      The new zone is staged. You can repeat the selection and preview steps to create additional process zones in the same session before saving.
    6. Confirm the new zone to save it.

    Edit a Process Zone

    Edit a Process Zone
    Follow these steps to remove devices from an existing process zone.
    You cannot add devices to a process zone by editing the process zone. You can only remove devices from a process zone when editing the process zone. To add devices to a process zone, either follow the steps to edit a device's process zone assignment, or switch to a different Device Grouping visualization method where you can see the devices you want to add to the process zone.
    If you remove a device from a process zone by editing the process zone, the device will be assigned to the Unknown process zone. You cannot view or edit devices in the Unknown process zone. You must change the network visualization map to use a different Device Grouping in order to find the removed device and assign it to a new process zone.
    1. Open a network visualization map that contains the process zone that you want to edit.
    2. Click a process zone node to open its information panel, and then click Create Process Zone to open the create process zone workflow.
      Editing a process zone uses the same workflow as creating a new process zone.
    3. Click the Edit icon next to the process zone's name in the visualization canvas to update the zone membership.
      When you go into the edit workflow, the visualization shows all devices in the process zone as selected. They are also selected in the Select Devices dropdown.
      1. Remove devices that you want to unassign from all process zones.
        Clear currently selected devices to remove them from the zone. After you Preview and Continue with your changes, the removed devices are assigned to the Unknown process zone by default.
        If you don't want to unassign devices from all process zones, then you can assign them to a different process zone following the next step.
        You cannot delete a process zone by clearing all devices from it. If you try to remove all devices from the process zone, then the process zone will repopulate with all of the original devices after you clear the last device.
      2. Remove devices from the process zone and assign them to a different process zone.
        You can only update devices to one new process zone at a time. Deselect all devices except the ones you want to move, and then select the Zone Name for the process zone you want to move the devices to. Preview and Continue with the changes before you can move more devices to a different process zone.
    4. Click Preview to verify the updated membership.
    5. Click Confirm.
      Device Security writes the updated process zone assignments to the affected devices.

    Edit a Device's Process Zone Assignment

    Edit a Device's Process Zone Assignment
    Follow these steps to edit a device's process zone assignment.
    You cannot directly remove a device from all process zones by editing the device's process zone assignment. To remove a device from all process zones, you must edit the process zone that the device is currently assigned to, and remove the device from the process zone.
    If the device is the only remaining member of the process zone, then you must first edit the device's process zone assignment to move the device to a second process zone with multiple devices. Then you can edit the second process zone to remove the device from that second process zone. This sets the device to the Unknown process zone.
    1. Open a network visualization map that contains the device that you want to edit, and ensure that the Device Grouping is set to Process Zone.
      You can view and edit process zone assignments for devices without using the Process Zone Device Grouping, but it is not recommended because devices in process zones may be in different nodes depending on the Device Grouping.
    2. Click the process zone node where the device is currently assigned to open the node's information panel, and then click Create Process Zone to open the create process zone workflow.
    3. Select the device that you want to assign to a different process zone.
      You can select the device by:
      • Using the Select Devices dropdown to search for a device by name.
      • Clicking the device node on the canvas.
    4. Search for and select a Zone Name to assign the selected device to a process zone.
      Entering a name that doesn't already exist gives you the option to create a new process zone.
    5. Preview the new zone on the canvas to verify the grouped devices (both the old and the new process zones).
    6. Optional Edit the process zone assignment for additional devices that you want to assign to other process zones by repeating the steps above and specifying the desired process zones.
    7. Click Continue to update the canvas to show the updated, in-progress process zone assignments.
    8. Confirm the new process zone assignments to save them.

    Delete a Process Zone

    Delete a Process Zone
    Delete a process zone when it no longer represents a meaningful grouping of your operational technology devices.
    You cannot directly delete a process zone. You must edit the process zone assignment of all children devices. This then indirectly deletes the process zone.
    1. Open a network visualization map that contains the process zone that you want to delete.
    2. Click a process zone node to open its information panel, and then click Create Process Zone to open the create process zone workflow.
      Deleting a process zone uses the same workflow as creating a new process zone.
    3. Edit the process zone assignment for all devices in the zone to assign them to a different process zone, or to remove them from the zone.
      You can assign the devices to different process zones, or keep them together in a different process zone.
      If you want to entirely remove the process zone assignment for some devices, while reassigning other devices to a different process zone, then you must first remove the devices that you do not want to assign to a new process zone. After you remove those devices, you can then reassign the remaining devices to different process zones.
      If you want to delete the process zone without assigning any devices to a new process zone, you can remove all but one device from the process zone and then Preview and Confirm. Then edit the remaining device's process zone assignment to move the device to a second process zone with multiple devices. After you confirm this change, the current process zone will be deleted.
      You must remember to edit the second process zone to remove the last device from that second process zone. This sets that last device to the Unknown process zone.
    4. Click Confirm.
      With no remaining members, Device Security removes the process zone.

    © 2026 Palo Alto Networks, Inc. All rights reserved.