One tiny additional question:
tunnel.1, tunnel.2 and loopback.1 are in the DMZ zone
bgroup0 is in the Trust zone
Two policies allow traffic from Trust to DMZ and vice versa.
I was able to ping from my site to the partner but not from them to me. After enable debugging, I saw that the device searched for a rule to allow traffic from zone 3 (DMZ) to zone 10 (Global). After adding such a rule it worked.
Why is that rule required?