Zones are a lightweight way to say "these systems belong together" and "these systems should never talk to each other". Once defined, Access Gate scores every flow against your zones and raises an alert when a boundary is crossed unexpectedly.
Configure zones
To configure different zones, head to Settings -> Subnets, and click on the pencil for a specific subnet. In the Type section, you can select a value from the dropdown presented.
| Zone | Typical members | Talks to |
|---|---|---|
VPN | Distance access over VPN | Internet, dmz |
IT | Office workstations, file servers | Internet, dmz, OT (proxied) |
OT | PLCs, HMIs, SCADA servers | Proxied via Access Gate |
Guest | Guest wifi, temporary access | Isolated — no east-west |
Vendor | Temporary access to specific machines | Isolated — no east-west |
Public | WAN exposed assets | Internet |
You do not need to get zoning perfect on day one. Start with three or four zones, let traffic populate, and refine.
How Zones Power Detection
Once a flow is observed, Access Gate labels both endpoints with their zone and answers two questions:
- Is this crossing a boundary? If both endpoints sit in the same zone, no boundary is crossed.
- Is this crossing expected? You define a small matrix of allowed pairs; anything outside is flagged.
This turns zones into a cheap form of anomaly detection that does not require rule-writing.
Related
- Detection and alerts — the broader detection picture
- Protecting an asset with enclaves — enclaves are how you enforce a zone boundary