Traffic issue on the Palo Alto(zone-to-zone)

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Traffic issue on the Palo Alto(zone-to-zone)

L3 Networker


On our Palo's we have a vsys defined and on this vsys we have 2 zones configured. ...... (say Trust zone and untrust zone.)


We have a server in the trust zone which need to monitor the interface allocated to the untrust zone.

This does not happen i.e. the server is unable to telnet to the untrust interface(to the port we enabled) and hence monitoring fails.


However, the entire network can still do this telnet(i.e. network other than the trust side).


Any suggestions?


We unfortunately do not have packet capture rights to debug this and hence the question.






L5 Sessionator

No packet capture rights... what about the monitor tab?

Help the community! Add tags & mark solutions please.

Cyber Elite
Cyber Elite


Anytime you are going between zones, a security policy is required. Now if monitoring interfaces, you need to configure a interface management profile and apply it to the interface.

The article says restrict access, but you also need to have one to allow access, even ping.





Hi @nson2139 ,

Based on your explanation you are talking about two different traffic flows:

- Inter-zone traffic: is traffic between different zones (when source zone is different from the destination zone). Palo Alto firewall will deny such traffic by default (at the very bottom of your policy you can see the default inter-zone rule). This means that you need to explicitly define a rule that will allow such traffic, no matter if it is targeting the firewall itself or not.

- Intra-zone traffic: is traffic when source and destination zones are exactly the same. And by default Palo Alto firewall is allowing such intra-zone traffic (again you can see the default at the bottom). FW is identifying the source zone by checking on which interface the packet is arrived and the destination zone by checking its routing table to see to which outgoing interface it needs to forward it. 


When users in the "untrust" zone are trying to reach the firewall IP assigned on the "untrust" interface, traffic is received on the untrust interface and destine to the same, which means source and destination zone are the same, therefor the traffic is allowed by the intrazone rule.


While when your server is trying to reach the firewall ip the packet is received on another interface and the source zone is different from the destination, that is why if no specific rule is created to allow this traffic it will match the default interzone rule. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!