01-02-2018 06:55 AM
Are your GRE tunnels going through some WAN connection or concentrator?
If your environment is on managed switches you could set the internet to one VLAN and your GRE output to another, then create tagged sub-interfaces for your vwire. Each sub-interface can have it's own zone, so you'd be able to do just that (then bridge the vlans behind your vwire)
You could also switch to a layer2 layout and have the firewall act as a switch rather than a router or a tube. You'd be able to put each of your 3 areas in a layer2 zone and bridge them all and apply security policies between the zones
If your GRE tunnels are terminated behind the firewall on the inside (it's not clear where you are terminating the tunnels) you can simply allow GRE from untrust to trust and/or trust to untrust
otherwise @BPry's solution is the way to go: differentiate between anything with 10.0.0.0 negated, or specifically for source/destination 10.0.0.0
