A firewall controls which networks and hosts can be accessed, and who can access them. To create traffic rules, first, the networking environment of Zorp must be accurately defined, then, access control on the traffic can be applied. This can be achieved using zones and rules.

Zones consist of one or more IP subnets that Zorp handles together. By default, there is only a single zone: the IP network 0.0.0.0/0, which practically means every available IP addresses (that is, the entire Internet). It is possible to organize zones into a hierarchy to reflect the actual network, or the structure of the organization.

Although zones consist of IP subnets and/or individual IP addresses, zone organization is independent of the subnetting practices of the organization. For example, a zone can be defined that contains the 192.168.7.0/24 subnet and it can have a subzone with IP addresses from the 10.0.0.0/8 range, and the single IP address of 172.16.54.4/32. For details on zones, see Section 6.2, Zones.