Hi, due to a bug (ID:80950), that PANW is not able to fix, it is necessary to create seperate IPSec-ESP policies for both directions trough the PA-7050. IPSec-ESP that comes in response to a opened session is being dropped if there is no separate policy for incomming ESP traffic. Example: -Client are allowed to open IPSec-Connections from "trust" to "untrust". -You have to allow ESP also from "untrust" to "trust" for any adress a IPSec client might use To avoid flooding, etc. from outside I am searching for solutions to avoid this. Has any PA-7k admin found a valid approach? Regards Winfried
... View more