Configure Tunnel Content Inspection
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
PAN-OS 10.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- Cloud Management of NGFWs
-
- Management Interfaces
-
- Launch the Web Interface
- Configure Banners, Message of the Day, and Logos
- Use the Administrator Login Activity Indicators to Detect Account Misuse
- Manage and Monitor Administrative Tasks
- Commit, Validate, and Preview Firewall Configuration Changes
- Export Configuration Table Data
- Use Global Find to Search the Firewall or Panorama Management Server
- Manage Locks for Restricting Configuration Changes
-
-
- Define Access to the Web Interface Tabs
- Provide Granular Access to the Monitor Tab
- Provide Granular Access to the Policy Tab
- Provide Granular Access to the Objects Tab
- Provide Granular Access to the Network Tab
- Provide Granular Access to the Device Tab
- Define User Privacy Settings in the Admin Role Profile
- Restrict Administrator Access to Commit and Validate Functions
- Provide Granular Access to Global Settings
- Provide Granular Access to the Panorama Tab
- Provide Granular Access to Operations Settings
- Panorama Web Interface Access Privileges
-
- Reset the Firewall to Factory Default Settings
-
- Plan Your Authentication Deployment
- Configure SAML Authentication
- Configure Kerberos Single Sign-On
- Configure Kerberos Server Authentication
- Configure TACACS+ Authentication
- Configure RADIUS Authentication
- Configure LDAP Authentication
- Configure Local Database Authentication
- Configure an Authentication Profile and Sequence
- Test Authentication Server Connectivity
- Troubleshoot Authentication Issues
-
- Keys and Certificates
- Default Trusted Certificate Authorities (CAs)
- Certificate Deployment
- Configure the Master Key
- Export a Certificate and Private Key
- Configure a Certificate Profile
- Configure an SSL/TLS Service Profile
- Configure an SSH Service Profile
- Replace the Certificate for Inbound Management Traffic
- Configure the Key Size for SSL Forward Proxy Server Certificates
-
- HA Overview
-
- Prerequisites for Active/Active HA
- Configure Active/Active HA
-
- Use Case: Configure Active/Active HA with Route-Based Redundancy
- Use Case: Configure Active/Active HA with Floating IP Addresses
- Use Case: Configure Active/Active HA with ARP Load-Sharing
- Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall
- Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses
- Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT in Layer 3
- HA Clustering Overview
- HA Clustering Best Practices and Provisioning
- Configure HA Clustering
- Refresh HA1 SSH Keys and Configure Key Options
- HA Firewall States
-
- Use the Dashboard
- Monitor Applications and Threats
- Monitor Block List
-
- Report Types
- View Reports
- Configure the Expiration Period and Run Time for Reports
- Disable Predefined Reports
- Custom Reports
- Generate Custom Reports
- Generate the SaaS Application Usage Report
- Manage PDF Summary Reports
- Generate User/Group Activity Reports
- Manage Report Groups
- Schedule Reports for Email Delivery
- Manage Report Storage Capacity
- View Policy Rule Usage
- Use External Services for Monitoring
- Configure Log Forwarding
- Configure Email Alerts
-
- Configure Syslog Monitoring
-
- Traffic Log Fields
- Threat Log Fields
- URL Filtering Log Fields
- Data Filtering Log Fields
- HIP Match Log Fields
- GlobalProtect Log Fields
- IP-Tag Log Fields
- User-ID Log Fields
- Decryption Log Fields
- Tunnel Inspection Log Fields
- SCTP Log Fields
- Authentication Log Fields
- Config Log Fields
- System Log Fields
- Correlated Events Log Fields
- GTP Log Fields
- Syslog Severity
- Custom Log/Event Format
- Escape Sequences
- Forward Logs to an HTTP/S Destination
- Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors
- Monitor Transceivers
-
- User-ID Overview
- Enable User-ID
- Map Users to Groups
- Enable User- and Group-Based Policy
- Enable Policy for Users with Multiple Accounts
- Verify the User-ID Configuration
-
- App-ID Overview
- App-ID and HTTP/2 Inspection
- Manage Custom or Unknown Applications
- Safely Enable Applications on Default Ports
- Applications with Implicit Support
- Application Level Gateways
- Disable the SIP Application-level Gateway (ALG)
- Maintain Custom Timeouts for Data Center Applications
-
- Best Practices for Securing Your Network from Layer 4 and Layer 7 Evasions
- Set Up Antivirus, Anti-Spyware, and Vulnerability Protection
- Set Up File Blocking
- Prevent Brute Force Attacks
- Customize the Action and Trigger Conditions for a Brute Force Signature
- Enable Evasion Signatures
- Monitor Blocked IP Addresses
- Threat Signature Categories
- Create Threat Exceptions
- Custom Signatures
- Share Threat Intelligence with Palo Alto Networks
- Threat Prevention Resources
-
- Decryption Overview
-
- Keys and Certificates for Decryption Policies
- SSL Forward Proxy
- SSL Forward Proxy Decryption Profile
- SSL Inbound Inspection
- SSL Inbound Inspection Decryption Profile
- SSL Protocol Settings Decryption Profile
- SSH Proxy
- SSH Proxy Decryption Profile
- Profile for No Decryption
- SSL Decryption for Elliptical Curve Cryptography (ECC) Certificates
- Perfect Forward Secrecy (PFS) Support for SSL Decryption
- SSL Decryption and Subject Alternative Names (SANs)
- TLSv1.3 Decryption
- High Availability Support for Decrypted Sessions
- Decryption Mirroring
- Configure SSL Forward Proxy
- Configure SSL Inbound Inspection
- Configure SSH Proxy
- Configure Server Certificate Verification for Undecrypted Traffic
- Enable Users to Opt Out of SSL Decryption
- Temporarily Disable SSL Decryption
- Configure Decryption Port Mirroring
- Verify Decryption
-
- How Decryption Broker Works
- Layer 3 Security Chain Guidelines
- Configure Decryption Broker with One or More Layer 3 Security Chain
- Transparent Bridge Security Chain Guidelines
- Configure Decryption Broker with a Single Transparent Bridge Security Chain
- Configure Decryption Broker with Multiple Transparent Bridge Security Chains
- Activate Free Licenses for Decryption Features
-
- About Palo Alto Networks URL Filtering Solution
- How Advanced URL Filtering Works
- URL Filtering Inline ML
- URL Filtering Use Cases
- Plan Your URL Filtering Deployment
- URL Filtering Best Practices
- Activate The Advanced URL Filtering Subscription
- Test URL Filtering Configuration
- Configure URL Filtering
- Configure URL Filtering Inline ML
- Log Only the Page a User Visits
- Create a Custom URL Category
- URL Category Exceptions
- Use an External Dynamic List in a URL Filtering Profile
- Allow Password Access to Certain Sites
- URL Filtering Response Pages
- Customize the URL Filtering Response Pages
- HTTP Header Logging
- Request to Change the Category for a URL
-
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
- Virtual Routers
- Service Routes
- RIP
- Route Redistribution
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
- Dynamic DNS Overview
- Configure Dynamic DNS for Firewall Interfaces
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
-
- Policy Types
- Policy Objects
- Track Rules Within a Rulebase
- Enforce Policy Rule Description, Tag, and Audit Comment
- Move or Clone a Policy Rule or Object to a Different Virtual System
-
- External Dynamic List
- Built-in External Dynamic Lists
- Configure the Firewall to Access an External Dynamic List
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Exclude Entries from an External Dynamic List
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Register IP Addresses and Tags Dynamically
- Use Dynamic User Groups in Policy
- Use Auto-Tagging to Automate Security Actions
- CLI Commands for Dynamic IP Addresses and Tags
- Test Policy Rules
-
- Network Segmentation Using Zones
- How Do Zones Protect the Network?
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure a PPPoE Client on a Subinterface
- Configure an IPv6 PPPoE Client
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- Dynamic IPv6 Addressing on the Management Interface
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure the Management Interface for Dynamic IPv6 Address Assignment
- Configure an Interface as a DHCP Relay Agent
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Create a Source NAT Rule with Persistent DIPP
- PAN-OS
- Strata Cloud Manager
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
-
-
PAN-OS 11.2
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
- Cloud Management and AIOps for NGFW
End-of-Life (EoL)
Configure Tunnel Content Inspection
Perform this task to configure tunnel content
inspection for a tunnel protocol that you allow through a tunnel.
- Create a Security policy rule to allow packets
that use a specific application (such as the GRE application) through
the tunnel from the source zone to the destination zone.The firewall can create tunnel inspection logs at the start of a session, at the end of a session, or both. When you specify Actions for the Security policy rule, select Log at Session Start for long-lived tunnel sessions, such as GRE sessions.
- Create a tunnel inspection policy rule.
- Select PoliciesTunnel Inspection and Add a policy rule.
- On the General tab, enter a tunnel inspection policy rule Name, beginning with an alphanumeric character and containing zero or more alphanumeric, underscore, hyphen, period, and space characters.
- (Optional) Enter a Description.
- (Optional) For reporting and logging purposes, specify a Tag that identifies the packets that are subject to the Tunnel Inspection policy rule.
- Specify the criteria that determine
the source of packets to which the tunnel inspection policy rule
applies.
- Select the Source tab.
- Add a Source Zone from the list of zones (default is Any).
- (Optional) Add a Source Address. You can enter an IPv4 or IPv6 address, an address group, or a Geo Region address object (Any).
- (Optional) Select Negate to choose any addresses except those you specify.
- (Optional) Add a Source User (default is any). Known-user is a user who has authenticated; an Unknown user has not authenticated.
- Specify the criteria that determine
the destination of packets to which the tunnel inspection policy
rule applies.
- Select the Destination tab.
- Add a Destination Zone from the list of zones (default is Any).
- (Optional) Add a Destination
Address. You can enter an IPv4 or IPv6 address, an address
group, or a Geo Region address object (default is Any).You can also configure a new address or address group.
- (Optional) Select Negate to choose any addresses except those you specify.
- Specify the tunnel protocols that the firewall will inspect
for this rule.
- Select the Inspection tab.
- Add one or more tunnel Protocols that
you want the firewall to inspect:
- GRE—Firewall inspects packets that use Generic Route Encapsulation (GRE) in the tunnel.
- GTP-U—Firewall inspects packets that use General Packet Radio Service (GPRS) Tunneling Protocol for User Data (GTP-U) in the tunnel.
- Non-encrypted IPSec—Firewall inspects packets that use non-encrypted IPSec (Null EncryVpted IPSec or transport mode AH IPSec) in the tunnel.
- VXLAN—Firewall inspects packets that use the Virtual Extensible Local Area Network (VXLAN) tunneling protocol in the tunnel.
- Specify how many levels of encapsulation the firewall
inspects and the conditions under which the firewall drops a packet.
- Select Inspect Options.
- Select the Maximum Tunnel Inspection Levels that
the firewall will inspect:
- One Level (default)—Firewall inspects content that is in the outer tunnel only.For VXLAN, the firewall inspects a VXLAN payload to find the encapsulated content or applications within the tunnel. You must select One Level because VXLAN inspection only occurs on the outer tunnel.
- Two Levels (Tunnel In Tunnel)—Firewall inspects content that is in the outer tunnel and content that is in the inner tunnel.
- Select any, all, or none of the following to specify
whether the firewall drops a packet under each condition:
- Drop packet if over maximum tunnel inspection level—Firewall drops a packet that contains more levels of encapsulation than are configured for Maximum Tunnel Inspection Levels.
- Drop packet if tunnel protocol fails strict header check—Firewall drops a packet that contains a tunnel protocol that uses a header that is non-compliant with the RFC for the protocol. Non-compliant headers can indicate suspicious packets. This option causes the firewall to verify GRE headers against RFC 2890.If your firewall is tunneling GRE with a device that implements a version of GRE older than RFC 2890, you should not enable the option to Drop packet if tunnel protocol fails strict header check.
- Drop packet if unknown protocol inside tunnel—Firewall drops a packet that contains a protocol inside the tunnel that the firewall can’t identify.For example, if this option is selected, the firewall drops encrypted IPSec packets that match the tunnel inspection policy rule because the firewall can’t read them. Thus, you can allow IPSec packets and the firewall will allow only null-encrypted IPSec and AH IPSec packets.
- Return scanned VXLAN tunnel to source—When traffic is redirected (steered) to the firewall, VXLAN encapsulates the packet. Traffic steering is most common in public cloud environments. Enable Return scanned VXLAN tunnel to source to return the encapsulated packet to the originating VXLAN tunnel endpoint (VTEP). This option is only supported on Layer 3, Layer 3 subinterface, aggregate interface Layer 3, and VLAN.
- Click OK.
- Manage tunnel inspection policy rules.Use the following to manage tunnel inspection policy rules:
- (Filter field)—Displays only the tunnel policy rules named in the filter field.
- Delete—Removes selected tunnel policy rules.
- Clone—An alternative to the Add button; duplicates the selected rule with a new name, which you can then revise.
- Enable—Enables the selected tunnel policy rules.
- Disable—Disables the selected tunnel policy rules.
- Move—Moves the selected tunnel policy rules up or down in the list; packets are evaluated against the rules in order from the top down.
- Highlight Unused Rules—Highlights tunnel policy rules that no packets have matched since the last time the firewall was restarted.
- (Optional) Create a tunnel source zone and tunnel
destination zone for tunnel content and configure a Security policy
rule for each zone.The best practice is to create tunnel zones for your tunnel traffic. Thus, the firewall creates separate sessions for tunneled and non-tunneled packets that have the same five-tuple (source IP address and port, destination IP address and port, and protocol).Assigning tunnel zones to tunnel traffic on a PA-5200 Series firewall causes the firewall to do tunnel inspection in software; tunnel inspection is not offloaded to hardware.
- If you want tunnel content to be subject to Security policy rules that are different from the Security policy rules for the zone of the outer tunnel (configured earlier), select NetworkZones and Add a Name for the Tunnel Source Zone.
- For Location, select the virtual system.
- For Type, select Tunnel.
- Click OK.
- Repeat these substeps to create the Tunnel Destination Zone.
- Configure a Security policy rule for the
Tunnel Source Zone.Because you might not know the originator of the tunnel traffic or the direction of the traffic flow and you don’t want to inadvertently prohibit traffic for an application through the tunnel, specify both tunnel zones as the Source Zone and both tunnel zones as the Destination Zone in your Security policy rule, or select Any for both the source and destination zones; then specify the Applications.
- Configure a Security policy rule for the Tunnel Destination Zone. The tip in the previous step for configuring a Security policy rule for the Tunnel Source Zone applies to the Tunnel Destination Zone, as well.
- (Optional) Specify the Tunnel Source Zone and
Tunnel Destination Zone for the inner content.
- Specify the Tunnel Source Zone and Tunnel Destination Zone (that you just added) for the inner content. Select PoliciesTunnel Inspection and on the General tab, select the Name of the tunnel inspection policy rule you created.
- Select Inspection.
- Select Security Options.
- Enable Security Options (disabled
by default) to cause the inner content source to belong to the Tunnel
Source Zone you specify and to cause the inner content
destination to belong to the Tunnel Destination Zone you
specify.If you don’t Enable Security Options, the inner content source belongs to the same source zone as the outer tunnel source and the inner content destination belongs to the same destination zone as the outer tunnel destination, which means they are subject to the same Security policy rules that apply to those outer zones.
- For Tunnel Source Zone, select the appropriate tunnel zone you created in the previous step so that the policies associated with that zone apply to the tunnel source zone. Otherwise, by default, the inner content will use the same source zone that is used in the outer tunnel and the policies of the outer tunnel source zone apply to the inner content source zone, as well.
- For Tunnel Destination Zone,
select the appropriate tunnel zone you created in the previous step
so that the policies associated with that zone apply to the tunnel
destination zone. Otherwise, by default, the inner content will
use the same destination zone that is used in the outer tunnel and
the policies of the outer tunnel destination zone apply to the inner
content destination zone, as well.If you configure a Tunnel Source Zone and Tunnel Destination Zone for the tunnel inspection policy rule, you should configure a specific Source Zone (in Step3) and a specific Destination Zone (in Step4) in the match criteria of the tunnel inspection policy rule, instead of specifying a Source Zone of Any and a Destination Zone of Any. This tip ensures the direction of zone reassignment corresponds appropriately to the parent zones.On a PA-5200 Series or PA-7080 firewall, if you use multicast underlay while inspecting VXLAN, the inner session would be duplicated on multiple dataplanes and a race condition could happen. To avoid the drop of some packets, the following requirements apply:
- You must configure a separate tunnel content inspection rule to match outer VXLAN packets going to each VXLAN tunnel endpoint (VTEP).
- In the separate rule, you assign a tunnel zone. Using a different tunnel zone would make the inner session different for each endpoint. The race condition would not happen, and no packet drop would be seen.
- Click OK.
- Set monitoring options for traffic that matches a tunnel
inspection policy rule.
- Select PoliciesTunnel Inspection and select the tunnel inspection policy rule you created.
- Select InspectionMonitor Options.
- Enter a Monitor Name to group similar traffic together for purposes of logging and reporting.
- Enter a Monitor Tag (number) to
group similar traffic together for logging and reporting (range
is 1 to 16,777,215). The tag number is globally defined.This field does not apply to the VXLAN protocol. VXLAN logs automatically use the VNI ID from the VXLAN header.If you tag tunnel traffic, you can later filter on the Monitor Tag in the tunnel inspection log and use the ACC to view tunnel activity based on Monitor Tag.
- Override Security Rule Log Setting to enable logging and log forwarding options for sessions that meet the selected tunnel inspection policy rule. If you don’t select this setting, tunnel log generation and log forwarding are determined by the log settings for the Security policy rule that applies to the tunnel traffic. You can override log forwarding settings in Security policy rules that control traffic logs by configuring tunnel inspection log settings to store tunnel logs separately from traffic logs. The tunnel inspection logs store the outer tunnel (GRE, non-encrypted IPSec, VXLAN, or GTP-U) sessions and the traffic logs store the inner traffic flows.
- Select Log at Session Start to
log traffic at the start of a session.The best practice for Tunnel logs is to log both at session start and session end because tunnels can stay up for long periods of time. For example, GRE tunnels can come up when the router boots and never terminate until the router is rebooted. If you don’t log at session start, you will never see in the ACC that there is an active GRE tunnel.
- Select Log at Session End to log traffic at the end of a session.
- Select a Log Forwarding profile that determines where the firewall forwards tunnel logs for sessions that meet the tunnel inspection rule. Alternatively, you can create a new Log Forwarding profile if you Configure Log Forwarding.
- Click OK.
- (Optional, VXLAN Only) Configure a VXLAN
ID (VNI). By default, all VXLAN network interfaces (VNIs) are
inspected. If you configure one or more VXLAN IDs, the policy inspects
only those VNIs. Only the VXLAN protocol uses the Tunnel ID tab to specify the VNI.
- Select the Tunnel ID tab and click Add.
- Assign a Name. The name is a convenience, and is not a factor in logging, monitoring, or reporting.
- In the VXLAN ID (VNI) field,
enter a single VNI, a comma-separated list of VNIs, a range of VNIs
(with a hyphen as the separator), or a combination of these. For
example, you can specify:1677002,1677003,1677011-1677038,1024
- (Optional) If you enabled Rematch
Sessions (DeviceSetupSession),
ensure the firewall doesn’t drop existing sessions when you create
or revise a tunnel inspection policy by disabling Reject
Non-SYN TCP for the zones that control your tunnel Security
policy rules.The firewall displays the following warning when you:
- Create a tunnel inspection policy rule.
- Edit a tunnel inspection policy rule by adding a Protocol or by increasing the Maximum Tunnel Inspection Levels from One Level to Two Levels.
- Enable Security Options in the Security Options tab by either adding new zones or changing one zone to another zone.
Warning: Enabling tunnel inspection policies on existing tunnel sessions will cause existing TCP sessions inside the tunnel to be treated as non-syn-tcp flows. To ensure existing sessions are not dropped when the tunnel inspection policy is enabled, set the Reject Non-SYN TCP setting for the zone(s) to no using a Zone Protection profile and apply it to the zones that control the tunnel’s security policies. Once the existing sessions have been recognized by the firewall, you can re-enable the Reject Non-SYN TCP setting by setting it to yes or global.- Select NetworkNetwork ProfilesZone Protection and Add a profile.
- Enter a Name for the profile.
- Select Packet Based Attack ProtectionTCP Drop.
- For Reject Non-SYN TCP, select no.
- Click OK.
- Select NetworkZones and select the zone that controls your tunnel Security policy rules.
- For Zone Protection Profile, select the Zone Protection profile you just created.
- Click OK.
- Repeat the previous three substeps (12.f, 12.g, and 12.h) to apply the Zone Protection profile to additional zones that control your tunnel Security policy rules.
- After the firewall has recognized the existing sessions, you can re-enable Reject Non-SYN TCP by setting it to yes or global.
- (Optional) Limit fragmentation of traffic in
a tunnel.
- Select NetworkNetwork ProfilesZone Protection and Add a profile by Name.
- Enter a Description.
- Select Packet Based Attack ProtectionIP DropFragmented traffic.
- Click OK.
- Select NetworkZones and select the tunnel zone where you want to limit fragmentation.
- For Zone Protection Profile, select the profile you just created to apply the Zone Protection profile to the tunnel zone.
- Click OK.
- Commit your changes.