Firewalls can only see/protect traffic that traverses security zones. Add internal zones to increase protection and for internal assets from lateral attacks.

Most people understand the need to inspect, protect and block traffic between the internet and the internal network. Some even add security zones for DMZ servers and services.

We have to get beyond that, with increased usage of clouds (VMware and Azure), people are setting up VPNs to connect them to data centers and internal networks, but generally placing them in the same "trust" or equivalent zone. That's a mistake and a lost opportunity to enhance cyber security protection.

The same happens for remote users, remote offices, server farms, storage farms, campus buildings, etc.

Use more zones! Adopt a philosophy of trust but validate. Adopt a zero trust model. Have remote users in a different security zone and inspect their traffic before going into the trust zone. Every cloud and different functional subnets within a cloud (if different tiers like database, middleware, web, etc.) should be in different security zones. 

Do the same for remote offices, allow any-any access if that makes sense, but enable inspection of traffic and disallow certain applications and all threats.

Like watertight doors on a ship, allow free flowing information where it makes sense, but enable inspection. 

My dentist once said you only need to floss the teeth you want to keep. You only need to separate your network into security zones to protect the assets you care about. With greater segmentation you have great protection, greater detection, much better visibility and the ability to do containment.