Each interface can be assigned to a single security zone. You then apply your security policy based on zones. For example, you can assign the inside interface to the inside zone; and the outside interface to the outside zone. You can configure your access control policy to enable traffic to go from inside to outside, but not from outside to inside, for example.
Each zone has a mode, either routed or passive. This relates directly to the interface mode. You can add routed and passive interfaces only to the same mode security zone.
Bridge Virtual Interfaces (BVIs) are not added to security zones. Only member interfaces are added to security zones.
You do not include the Diagnostic/Management interface in a zone. Zones apply to data interfaces only.
See Security Zone Object for more information about security zones.