Configure trusted office zones - Secure Access Service Edge

Office zone identification lets the SASE App detect when a device is on your office network and skip unnecessary traffic redirection—preserving internet egress bandwidth for connections that actually need it.

This topic explains how to:

Choose a traffic redirection policy for your office zone.
Create identification rules that define when a device is considered on the office network.
Associate specific applications with the policy (if required).

How it works

By default, after an employee connects to SASE, all traffic to business applications is redirected through SASE for permission verification and forwarding. When the SASE App detects that a device meets your office zone identification conditions, it applies the configured non-redirection policy instead.

SASE supports two non-redirection policies:

Policy	When to use
When in an office zone, the SASE App does not redirect traffic	The office network can reach all required business applications. No SASE-established connectivity is needed.
When in an office zone, the SASE App does not redirect traffic for specific business applications	The office network can reach only some business applications. SASE still establishes connectivity for applications the office network cannot reach.

Prerequisites

Before you begin, ensure that you have:

Access to the Secure Access Service Edge console
The internal IP addresses, domain names, SSID names, or CIDR blocks that identify your office network

Create an office zone identification rule

Log on to the Secure Access Service Edge console.
In the navigation pane, choose Private Access > Terminal Access.
On the Access Point Management tab, click Office Zone Identification, then select a traffic redirection policy for your office zone.

At the bottom of the Office Zone Identification page, click Create Identification Rule, then configure the rule:

Parameter	Description
Rule name	Enter a name between 2 and 128 characters. Letters, digits, hyphens (`-`), and underscores (`_`) are supported.
Conditions	Add one or more of the following conditions: <br>- Office Zone SSID: The Service Set Identifier (SSID) of your office wireless network (WLAN). <br>- Accessible Internal IP Address: An internal IP address reachable only from the office network. The SASE client probes this address automatically—a successful connection counts as evidence that the device is on the office network. <br>- Accessible Internal Domain: An internal domain reachable only from the office network. The SASE client probes this domain automatically—a successful connection counts as evidence. <br>- Office CIDR Block: The IP address range of your office network. The current device's IP address must fall within this range.
Condition logic	Set the logical relationship between multiple conditions to OR (default) or AND. Click OR to switch to AND.

If you add multiple identification rules, a device is treated as being in the office zone when any rule is satisfied.

If you selected the policy that excludes specific applications from redirection, click Configure. In the Add Application panel, add the relevant internal business applications by application tag or application name.
Click Save.

Other operations

Operation	Steps
Edit an identification rule	Click Edit Rule and update the condition.
Delete an identification rule	Click Edit Rule, then click Delete.

Important

After an identification condition is deleted, SASE no longer uses it to identify your office zone. Proceed with caution.

What's next

To establish network connectivity for applications that the office network cannot reach, choose a method based on your network topology:
To apply Zero Trust policies to application access, see Configure zero-trust policies.