Hi, yes the FW can ping the Server (through the Management Interface, which is on the trusted Zone). All S2S Traffic from on premise to Azure works well, just forced tunneling from azure to the Internet is stuck. Same as with ping. Capturing the Packets shows the reply doesn´t get back to the Server, so no Handshake is established. In Traffic Log, the request "ages-out". In Session Browser all looks fine. The "Traverse Tunnel" Flag is set "true". Maybe I didn´t understood you correctly, what do you mean by "how Palo sees this session" ?
... View more