https://live.paloaltonetworks.com/t5/general-topics/what-mean-is-no-destination-zone-from-forwarding-on-global/m-p/24106#M17565 <HTML><HEAD></HEAD><BODY><P>Every packet, including those that match an existing session, gets a route look-up. My recommendation is to ensure that there is a correct route for each IP in question:</P><P></P><P>&gt; test routing fib-lookup virtual-router &lt;VR_NAME&gt; ip &lt;IP_ADDRESS&gt;</P><P></P><P>Do this for both directions, and ensure that the destination interface matches the correct zone. If not, you'll want to either add a static route, update whatever dynamic routing you use, or modify your interface zone configuration to ensure the destination on the return path is pointing to the correct zone.</P><P></P><P>Hope this helps,</P><P>Greg</P></BODY></HTML> Fri, 29 Nov 2013 15:26:27 GMT gwesson 2013-11-29T15:26:27Z https://live.paloaltonetworks.com/t5/general-topics/what-mean-is-no-destination-zone-from-forwarding-on-global/m-p/24105#M17564 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>I failed to install FWs to custom.</P><P>The FW was L3 mode with two interface(untrust , trust).</P><P>When I installed inline, from untrust traffic did not go through to trust.</P><P>Destination IP was just trust zone. In addition, FW did not have nat , vpn and protection configurations and security police was allow.</P><P>At that time, I found out strange traffic logs and global counters.</P><P>This traffic logs was source zone untrust , destination zone untrust , action allow , packet-received 897K and packet-sent 0.</P><P>Destination IP was included trust zone. but destination zone was utrust.</P><P>Also, 'no destination zone from forwarding' counter on global counters was increasing too many.</P><P></P><P>Please somebody help me for explain this traffic log and this counter.</P><P>Thanks.</P></BODY></HTML> Wed, 27 Nov 2013 07:24:50 GMT https://live.paloaltonetworks.com/t5/general-topics/what-mean-is-no-destination-zone-from-forwarding-on-global/m-p/24105#M17564 KiCheon.Lee 2013-11-27T07:24:50Z https://live.paloaltonetworks.com/t5/general-topics/what-mean-is-no-destination-zone-from-forwarding-on-global/m-p/24106#M17565 <HTML><HEAD></HEAD><BODY><P>Every packet, including those that match an existing session, gets a route look-up. My recommendation is to ensure that there is a correct route for each IP in question:</P><P></P><P>&gt; test routing fib-lookup virtual-router &lt;VR_NAME&gt; ip &lt;IP_ADDRESS&gt;</P><P></P><P>Do this for both directions, and ensure that the destination interface matches the correct zone. If not, you'll want to either add a static route, update whatever dynamic routing you use, or modify your interface zone configuration to ensure the destination on the return path is pointing to the correct zone.</P><P></P><P>Hope this helps,</P><P>Greg</P></BODY></HTML> Fri, 29 Nov 2013 15:26:27 GMT https://live.paloaltonetworks.com/t5/general-topics/what-mean-is-no-destination-zone-from-forwarding-on-global/m-p/24106#M17565 gwesson 2013-11-29T15:26:27Z https://live.paloaltonetworks.com/t5/general-topics/what-mean-is-no-destination-zone-from-forwarding-on-global/m-p/24107#M17566 <HTML><HEAD></HEAD><BODY><P>Seems like you are trying to allow traffic inbound from outside. </P><P>In that case the NAT will be untrust to untrust. </P><P>Following doc explains how to create destination NAT on page 15</P><P><A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-1517">https://live.paloaltonetworks.com/docs/DOC-1517</A></P><P>Hope this helps.</P><P>Regards,</P><P>Numan</P></BODY></HTML> Mon, 02 Dec 2013 17:06:24 GMT https://live.paloaltonetworks.com/t5/general-topics/what-mean-is-no-destination-zone-from-forwarding-on-global/m-p/24107#M17566 mbutt 2013-12-02T17:06:24Z https://live.paloaltonetworks.com/t5/general-topics/what-mean-is-no-destination-zone-from-forwarding-on-global/m-p/24108#M17567 <HTML><HEAD></HEAD><BODY><P>Thanks Greg and Numan,</P><P>I had checked routing-table and fib-table but it is no problem.</P><P>And FW doesn't have NAT setting.</P><P>I have tested again on my lab.</P><P>This global count is increasing when interface down or no routing-table for destination ip.</P><P>Maybe, <SPAN style="font-size: 10pt; line-height: 1.5em;">I look like wrong negotiation for speed and duplex when it happened.</SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"> </SPAN></P></BODY></HTML> Tue, 03 Dec 2013 02:57:32 GMT https://live.paloaltonetworks.com/t5/general-topics/what-mean-is-no-destination-zone-from-forwarding-on-global/m-p/24108#M17567 KiCheon.Lee 2013-12-03T02:57:32Z