I think I have expressed myself wrong.
The concept of zones and plocies is clear. What I mean:
If I send data from my site to the partner, they arrive on the bgroup0 (zone Trust) and go to the tunnel (zone DMZ). A policy allows that. That works.
If the partner sends data, they arrive at the tunnel (zone DMZ) and go to the bgroup0 (zone Trust). A policy allows that, but it does not work! I had to create a rule to all traffic from DMZ to zone "Global".
I don't understand, why that rule (DMZ -> Global) is required.