I recently changed the configuration of my ns5gt to extended to ta advantage of the dmz zone. unfortunately, there is no way to allow trafic from dmz to untrust, even thoufh the exact same rule applies to the trust zone (trust to untrust). All I get is "close - age out" as a reason for the trafic to be blocked on the policy dmz->untrust. This obvsiously should have nothing to do with protocol timeouts. Did i miss something or are there implicit rules that apply to the dmz zone?
policies dmz -> untrust permit any (should be narrowed, but it's about troubleshooting) -> doesn't work trust -> untrust permit any -> ok trust -> dmz permit any -> ok and 2 other rules for nat port forwarding (vip::ethernet3) -> ok