Something to keep in mind is when you ping from a Palo Alto firewall via the CLI, it’s going to source the ping from the MGMT interface by default. So a ping might respond back but the app/service/user/etc… still won’t work. You need to use the “source” option in the ping command:
ping source {LOCAL_IP_ADDRESS} host {REMOTE_IP_ADDRESS}
For example, if I want to ping an internal server from the INSIDE interface, would do this:
ping source 10.1.1.1 host 10.100.10.101