Clicking the collapsible menu on the right and selecting 'Services' brings you to the Firewall Services page. It is this page that allows the admin fine control over which firewall zones have access to which PBX services:
Services Tab
SSH - Generally you do not allow untrusted access to this service
Web Management - Generally you do not allow untrusted access to this service
Web Management (Secure) - Ideally you would limit this service only to trusted traffic
UCP - User Control Panel - Ideally you would limit this service only to trusted traffic.
SIP Protocol - The pjsip service, if you want to allow untrusted access, it's preferred to enable the responsive firewall instead of allowing Internet zone
CHAN_SIP Protocol - The chan_sip service, if you want to allow untrusted access, it's preferred to enable the responsive firewall instead of allowing Internet zone
IAX Protocol - Inter Asterisk eXchange service, if you want to allow untrusted access, it's preferred to enable the responsive firewall instead of allowing Internet zone
WebRTC - UCP browser sessions use this service. If you don't allow untrusted access to UCP, you probably don't need untrusted access to WebRTC
Lets Encrypt - Used in cases where the Lets Encrypt service is dedicated to port 80
Extra Services Tab
The extra services tab is where access to the provisioning services are configured.
Generally it's best to disallow untrusted access to provisioning services. If provisioning services must be exposed to the Internet Zone, it is CRITICALLY IMPORTANT to ensure the service is protected by credentials.
Zulu UC - Enable for Internet zone if your Zulu clients are not whitelisted
iSymphony - Generally you do not allow untrusted access to this service
HTTP Provisioning - You do not allow untrusted access to this service
HTTPS Provisioning - Can enable untrusted access to this service provided credentials are enabled
OpenVPN Server - Generally this service is enabled for the Internet zone
REST Apps (HTTP) - Generally you do not allow untrusted access to this service
REST Apps (HTTPS) - Generally you do not allow untrusted access to this service
XMPP - Used for text chat in UCP. If UCP is not enabled for Internet, you probably don't need it for this service
FTP - used for provisioning, protected with credentials
TFTP - used for provisioning. CRITICALLY IMPORTANT NEVER ALLOW UNTRUSTED ACCESS TO THE SERVICE. If you can, it's probably best to just disable the tftp service altogether
NFS and SMB/CIFS - Generally not used on a PBX
Custom Services Tab
Any local services running on the PBX that are not located on the previous two tabs can be added to this tab and zoned appropriately.
Blacklist Tab
See the Firewall Blacklist page