Communication within different Trust Zones

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Communication within different Trust Zones

L1 Bithead


I am working with PAN-500 3.0.9.

I have configured 2 trust zones and 2 untrusted zones.

l3-trust IP; l3-untrust 200.78.x.x

l3-trust2 IP; l3-untrust 201.161.x.x

I need that users from l3-trust get access to servers located at l3-trust2.

I have this policy:

From l3-trust2 to l3-trust source address destination address Action Allow.

From l3-trust to l3-trust2 source address destination address Action Allow.

Right now, this is not working.

I hope you could help me.



L4 Transporter

Hello there,

you sceneario looks very straight forward.

I would verify the following:

1. the l3-trust and l3-trust2 interfaces are on the same virtual router on the Paloalto device

2. Are there any NAT rules that any of the traffic between these two zones could be catching.....for example do you have a NAT rule that says source zone: l3-trust and destination zone any....

3. For now you can make sure that the application and the service are both set "any"......this of course is only while you are troubleshooting to illiminate the possibility of you not allowing the applications you are expecting to pass traffic ( ping)

4. You can set the source and destination addresses to any also....this is to make sure that you did not make mistake while typing in the source and destination address or while creating the address objects.

5. Verify the routing in your network. Basically make sure that the network that when the network tries to route to 192.168.10.x, it is pointed to the Paloalto device....check this going the other way also. Please be dilligent is checking the routing as this is often the root of issues like this.

If you are still having issues after checking the above then please call into support and we can aid in isolating the source of this issue.




The similar problem we also facing...both the trust and trust2 communication is happening if i put NAT rule (likey source zone trust and destination zone trust2 and destination interface should be the trust interface) then its working...though some time ICMP is not working between two trust zones where as FTP and remote desktop is working..the same as been tested with different OS and different model of PAN.suggest me to fix this problem

Not applicable


I am working with PAN-3020 Ver 5.0

I have configured 2 trust zones and 2 untrusted zones with two VRs configured as default routes.

l3-trust IP; l3-untrust 200.78.x.x  ,   VR1 (NAT, configured as default route)

l3-trust2 IP; l3-untrust2 201.161.x.x , VR2 (NAT, configured as default route)

I need that users from l3-trust get access to servers located at l3-trust2.

Could you please help how to implement on this scenario?

Thanks in advance.

Hi znlwin,

VR1 you have to add route next VR VR2

VR2 you have to add route next VR  VR1

  • 4 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!