a second public range is configured on interface e1/2 while physical host is located on e1/3
NAT rules are configured from untrust to untrust.
Cause
The server's public IP address is in the same address space as the IP address of another interface on the Palo Alto Networks firewall. Example: e1/1, zone untrust, public IP 1.1.1.1/24 e1/2, zone DMZ-Public, IP 2.2.2.2/24 e1/3, zone DMZ-Private, IP 192.168.1.1/24 (server is connected to e1/3, public IP 2.2.2.66/24, private IP 192.168.1.2/24) NAT policy set for "untrust zone to untrust zone".
The firewall sees the ingress traffic's destination IP address (2.2.2.66) as destined for the "DMZ-Public" zone.
This is because a route lookup returns DMZ-Public as the destination zone for 2.2.2.0/24.
However, the policy specifies that traffic from "untrust to untrust" is allowed. Therefore, the traffic is dropped.
Resolution
Edit the NAT policy.
Change the destination zone to "DMZ-Public". Changing the destination zone from "untrust" to "DMZ-Public" causes the ingress traffic to properly match source and destination zone, based on route lookups