thanks for the confirmation.
Then I suspect as noted in my first post this might be a return route situation on the connected routers. Is the SSG the default route on these three connected devices?
For transit to work on the SSG you need these elements.
1-Route the 2, 3 and 4 subnets with a next hop of the connected router interface
(you have this in place)
2-Policy for the direction of initiated traffic:
enable logging on the policy so you can see if traffic hits the policy
If connections are intiated on the internet to these addresses it will be from that upstream zone to the zone of the interface with the next-hop of the router.
If connections are outbound browsing the internet the zones will be reversed.
3-Return or outgoing route on the connected routers owning the 2, 3 and 4 subnets
These routers need to send either outbound or reply traffic back to the SSG firewall.
If the traffic is only inbound and the routers have a different default route, you have the option of using source NAT on the inbound traffic to the SSG interface address. This will then allow the downstream routers of the 2, 3 and 4 subnets to return even random internet addresses to the SSG and complete the transactions without adding any routes.