Zones describe and map the networking environment on the IP level. IP addresses are grouped into zones; the access policies of PNS operate on these zones. Zones specify segments of the network from which traffic can be received (source) or sent to (destination) through the firewall. Zones in PNS can contain:

The actual implementation of a zone hierarchy depends on the network environment, and the placement and role of PNS firewalls, the security policy, and so on.

The Internet zone which covers all possible IP addresses is defined on every site by default. If an IP address is not included in any user-defined zones, it belongs to the Internet zone. PNS policies permit traffic between two or more zones, so at least another zone — the intranet — must be created. Usually a special zone called demilitarized zone (DMZ) is defined for servers available from the Internet.

Zones in PNS can have a hierarchy, with a zone containing many subzones that may have their own subzones, and so on. From these zones, a tree hierarchy can be constructed. This hierarchy is purely administrative and independent from the IP addresses defined in the zones themselves: for example, a zone that contains the 192.168.7.0/24 subnet can have a subzone with IP addresses from the 10.0.0.0/8 range.

A network can belong only to a single zone, because otherwise the position of IP addresses in the network would be ambiguous.

The zone hierarchy is independent from the subnetting practices of the company or the physical layout of the network, and can follow arbitrary logic. The zone hierarchy applies to every host of a site.