I have a security rule to allow ip "A" to ssh to ip "B". I can see the traffic actually hitting the fw but it gets dropped with interzone-default. The test policy match also verifies that it matches the traffic.
IP "B" is actually the firewall. And IP "B" is nated like this: original packet source IP "C", original packet dest ip "A", translated packet source ip "B".
How can this happen? So the traffic hitting the firewall has an explicit allow rule but still missed.
IP "A" is on the other end of the IPSec tunnel and when this traffic comes, it successfully creates a child SA. Routing is also set up for IP "A"