All Products
Search
Document Center

Secure Access Service Edge:Configure office zone identification

Last Updated:Jun 21, 2026

If employees are working in an office zone and do not need to use the SASE App for traffic redirection, or if only some applications require traffic redirection through the SASE App, you can define an office zone by setting specific criteria. The SASE App uses the configured criteria to identify whether a user's device is in an office zone and then applies the corresponding traffic redirection policy. This topic describes how to configure a trusted office zone.

Office zone policies

After you connect to SASE, traffic from employees who access business applications is redirected to SASE by default for permission checks and forwarding. You can select a no-redirection policy for the SASE App based on the network topology of your office zone. This prevents your internet egress bandwidth from being consumed when employees mistakenly use the SASE App in the office zone.

SASE supports the following two non-redirection policies for office zones:

  • In an office zone, the SASE App does not redirect traffic

    Use this policy when your office network can access all required business applications without requiring a SASE connection.

  • In an office zone, the SASE App does not redirect traffic for specific applications

    Use this policy when your office network can only access some business applications. Other applications require a SASE connection.

Procedure

  1. Log on to the Secure Access Service Edge console.

  2. In the navigation pane on the left, choose Private Access > Terminal Access.

  3. On the Access Point Management tab, click Office Zone Identification, and then select a traffic redirection policy.

  4. At the bottom of the Office Zone Identification page, click Create Identification Rule. Configure the identification rule based on the following parameters.

    You can create one or more identification rules. If multiple rules exist, SASE considers a device to be in the office zone if it matches any rule.

    Parameter

    Description

    Rule Name

    The rule name. It must be 2 to 128 characters in length and can contain letters, digits, hyphens (-), and underscores (_).

    Conditions

    Set one or more of the following conditions:

    • Office Zone SSID: Enter the Service Set Identifier (SSID) of your office wireless LAN (WLAN).

    • Accessible Internal IP Address: An internal IP address reachable only from the office network. The SASE client automatically probes this IP address. If the connection is successful, SASE uses this condition to identify the office zone.

    • Accessible Internal Domain: An internal domain reachable only from the office network. The SASE client automatically probes this domain. If the connection is successful, SASE uses this condition to identify the office zone.

    • Office CIDR Block: Specify the IP address range of your office network. The user's device IP must be within this range.

    You can set the logic between conditions to OR or AND. The default is OR. You can click OR to switch to AND.

  5. If you selected the policy to not redirect traffic for specific applications, you must associate the relevant applications.

    Click Configure. In the Add Application panel, add the internal applications by their tags or names.

  6. Click Save.

Other operations

You can perform the following operations as needed:

  • Edit: Click Edit Rule to modify a configured identification rule.

  • Delete: Click Edit Rule and then Delete to remove the rule.

    Important

    After you delete an identification rule, SASE no longer uses it to identify the office zone. Proceed with caution.

Related documents