https://live.paloaltonetworks.com/t5/general-topics/destination-zone/m-p/460042#M102031 <P>Hello</P><P>&nbsp;</P><P>I found in documentation : "Assign destination zone based on Interface packet would egress from"</P><P>&nbsp;</P><P>What is behind this "would" ? How is choose the destination zone , based on FW topology or routing table or ?</P><P>&nbsp;</P><P>I have set a route (next hop Tunnel interface) to a subnet and a NAT rule.</P><P>I have a traffic from 2 differents source zone but same destination.</P><P>In log, destination zone is not the same for each traffic;</P><P>My rules are working but I can't explain why.</P><P>&nbsp;</P><P>So how is based the choice for the destination zone ?</P><P>&nbsp;</P><P>Thanks in advance</P> Fri, 21 Jan 2022 06:02:23 GMT didier.bonato 2022-01-21T06:02:23Z https://live.paloaltonetworks.com/t5/general-topics/destination-zone/m-p/460042#M102031 <P>Hello</P><P>&nbsp;</P><P>I found in documentation : "Assign destination zone based on Interface packet would egress from"</P><P>&nbsp;</P><P>What is behind this "would" ? How is choose the destination zone , based on FW topology or routing table or ?</P><P>&nbsp;</P><P>I have set a route (next hop Tunnel interface) to a subnet and a NAT rule.</P><P>I have a traffic from 2 differents source zone but same destination.</P><P>In log, destination zone is not the same for each traffic;</P><P>My rules are working but I can't explain why.</P><P>&nbsp;</P><P>So how is based the choice for the destination zone ?</P><P>&nbsp;</P><P>Thanks in advance</P> Fri, 21 Jan 2022 06:02:23 GMT https://live.paloaltonetworks.com/t5/general-topics/destination-zone/m-p/460042#M102031 didier.bonato 2022-01-21T06:02:23Z https://live.paloaltonetworks.com/t5/general-topics/destination-zone/m-p/460269#M102050 <P>Hello,</P> <P>As for the logs, enable logging at session end on all polcies and then check the traffic logs to see what they say. As for egress zone, its where the traffic is going or where it will end up. Each interface must be assigned a zone, where the packets leaves the firewall interface, that would be the egress zone based on the interface.</P> <P>&nbsp;</P> <P>Regards,</P> Fri, 21 Jan 2022 19:27:24 GMT https://live.paloaltonetworks.com/t5/general-topics/destination-zone/m-p/460269#M102050 OtakarKlier 2022-01-21T19:27:24Z https://live.paloaltonetworks.com/t5/general-topics/destination-zone/m-p/460496#M102083 <P>Hello</P><P>&nbsp;</P><P>Thanks for your reply.<BR />My question is not : how i can check the destination zone but how PAN OS set it ?</P><P>After checking routing table or depending on the topology of firewall or something else ?</P><P>&nbsp;</P><P>Regards</P> Mon, 24 Jan 2022 07:57:34 GMT https://live.paloaltonetworks.com/t5/general-topics/destination-zone/m-p/460496#M102083 didier.bonato 2022-01-24T07:57:34Z https://live.paloaltonetworks.com/t5/general-topics/destination-zone/m-p/460570#M102090 <P>Destination zone is decided based on routes in virtual router so yes routing table.</P><P>If you have Policy Based Forwarding rules that overlap with virtual router then PBF route will take precedence over virtual router.</P> Mon, 24 Jan 2022 14:09:27 GMT https://live.paloaltonetworks.com/t5/general-topics/destination-zone/m-p/460570#M102090 Raido_Rattameister 2022-01-24T14:09:27Z