Security zones are a logical way to group physical and
virtual interfaces on the firewall to control and log the traffic
that traverses specific interfaces on your network. An interface
on the firewall must be assigned to a security zone before the interface can
process traffic. A zone can have multiple interfaces of the same
type assigned to it (such as tap, layer 2, or layer 3 interfaces),
but an interface can belong to only one zone.
Policy rules on the firewall use security zones to identify where
the traffic comes from and where it is going. Traffic can flow freely
within a zone but traffic cannot flow between different zones until
you define a Security policy rule that allows it. To allow or deny
inter-zone traffic, Security policy rules must reference a source
zone and destination zone (not interfaces) and the zones must be
of the same type; that is, a Security policy rule can allow or deny
traffic from one Layer 2 zone only to another Layer 2 zone.