I just got off of a Zoom session with PA support. They did some further digging into the session flows via the CLI and came to the conclusion that my packets are coming into the Palo, but the return path is broken on the FortiGate side of things. Since the session is never fully establishing (no ACK), the tunnel inspection is not kicking into gear. That is, the *intent* to inspect is there, but the conversation is one-way. I have already engaged FortiNet support - now it's a waiting game. I will share some information and configuration examples if we can ever sort this out, as I couldn't find a lot of useful documentation on their side. And I know there are many customers out there with Palo's in the main office, and "baby firewalls" at their remote sites.
... View more