Destination Zone

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Destination Zone

L1 Bithead

Hello

 

I found in documentation : "Assign destination zone based on Interface packet would egress from"

 

What is behind this "would" ? How is choose the destination zone , based on FW topology or routing table or ?

 

I have set a route (next hop Tunnel interface) to a subnet and a NAT rule.

I have a traffic from 2 differents source zone but same destination.

In log, destination zone is not the same for each traffic;

My rules are working but I can't explain why.

 

So how is based the choice for the destination zone ?

 

Thanks in advance

3 REPLIES 3

Cyber Elite
Cyber Elite

Hello,

As for the logs, enable logging at session end on all polcies and then check the traffic logs to see what they say. As for egress zone, its where the traffic is going or where it will end up. Each interface must be assigned a zone, where the packets leaves the firewall interface, that would be the egress zone based on the interface.

 

Regards,

L1 Bithead

Hello

 

Thanks for your reply.
My question is not : how i can check the destination zone but how PAN OS set it ?

After checking routing table or depending on the topology of firewall or something else ?

 

Regards

Cyber Elite
Cyber Elite

Destination zone is decided based on routes in virtual router so yes routing table.

If you have Policy Based Forwarding rules that overlap with virtual router then PBF route will take precedence over virtual router.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
  • 2870 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!