Details
There may be a situation in which network connections that were successful before may no longer be passing through the Palo Alto Networks firewall. There may not be readily available evidence in the firewall's UI to help explain what is happening.
Execute the following command to reveal metrics associated with dropped packets.
> show counter global filter severity drop delta yes
This command should be executed at least twice so that the output is relevant to recently seen packets that match the packet filter.
If the output includes the line with a description of "Packets dropped: forwarded to a different zone," then one possibility is that a recently seen packet matches an existing session that was recorded at a time when the firewall's routing was in a different state. For example, entries in the virtual router's forwarding table are normally obtained by OSPF. OSPF stopped receiving updates and the firewall then switched to using static routes. A default static route specifies ethernet1/1 as the egress interface and a session is recorded at this time.
After OSPF is restored, the default route now specifies ethernet1/2 as the egress interface and this interface is in a different zone than ethernet1/1. A packet arrives that matches the existing session, which still specifies that the egress interface is ethernet1/1. However, when the packet is processed for forwarding, ethernet1/2 is the egress interface and it is in a different zone, hence the "forwarded to a different zone" status.
Clear out the existing session with this command:
> clear session id <NUM>
See Also
To identify the session ID number that needs to be cleared, see How to Monitor Live Sessions
owner: jjosephs