Building Blocks in a Tunnel Inspection Policy
Table of Contents
10.0 (EoL)
Expand all | Collapse all
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Decryption > Forwarding Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > VLANs
- Network > Virtual Wires
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
End-of-Life (EoL)
Building Blocks in a Tunnel Inspection Policy
Select PoliciesTunnel Inspection to add a
Tunnel Inspection policy rule. You can use the firewall to inspect
content of cleartext tunnel protocols (GRE, GTP-U, non-encrypted
IPSec, and VXLAN) and leverage tunnel content inspection to enforce
Security, DoS Protection, and QoS policies on traffic in these types
of tunnels. All firewall models support tunnel content inspection of GRE and non-encrypted
IPSec tunnels, but only firewalls that support GTP support tunnel
content inspection of GTP-U tunnels. The following table describes
the fields you configure for a Tunnel Inspection policy.
Building Blocks in
a Tunnel Inspection Policy | Configured In | Description |
|---|---|---|
Name | General | Enter a name for the Tunnel Inspection policy beginning
with an alphanumeric character and containing zero or more alphanumeric,
underscore, hyphen, period, or space characters. |
Description | (Optional) Enter a description
for the Tunnel Inspection policy. | |
Tags | (Optional) Enter one or more tags
for reporting and logging purposes that identify the packets that
are subject to the Tunnel Inspection policy. | |
Group Rules by Tag | Enter a tag with which to group
similar policy rules. The group tag allows you to view your policy
rule base based on these tags. You can group rules based on a Tag. | |
Audit Comment | Enter a comment to audit the
creation or editing of the policy rule. The audit comment is case-sensitive and
can have up to 256 characters, which can be letters, numbers, spaces,
hyphens, and underscores. | |
Audit Comment Archive | View previous Audit Comments for
the policy rule. You can export the Audit Comment Archive in CSV format. | |
Source Zone | Source | Add one or more source
zones of packets to which the Tunnel Inspection policy applies (default
is Any). |
Source Address | (Optional) Add source
IPv4 or IPv6 addresses, address groups, or Geo Region address objects
of packets to which the Tunnel Inspection policy applies (default
is Any). | |
Source User | (Optional) Add source
users of packets to which the Tunnel Inspection policy applies (default
is any). | |
Negate | (Optional) Select Negate to
choose any addresses except those specified. | |
Destination Zone | Destination | Add one or more destination
zones of packets to which the Tunnel Inspection policy applies (default
is Any). |
Destination Address | (Optional) Add destination
IPv4 or IPv6 addresses, address groups, or Geo Region address objects
of packets to which the Tunnel Inspection policy applies (default
is Any). | |
Negate | (Optional) Select Negate to
choose any addresses except those specified. | |
Tunnel Protocol | Inspection | Add one or more tunnel Protocols that
you want the firewall to inspect:
To
remove a protocol from your list, select the protocol and Delete it. |
Maximum Tunnel Inspection Levels | InspectionInspect Options | Specify whether the firewall will inspect One
Level (default) or Two Levels (Tunnel In
Tunnel) of encapsulation. For VXLAN, select One
Level, as inspection only occurs on the outer layer. |
Drop packet if over maximum tunnel inspection
level | (Optional) Drop packets that contain
more levels of encapsulation than you specified for Maximum Tunnel Inspection
Levels. | |
Drop packet if tunnel protocol fails strict
header check | (Optional) Drop packets that contain
a tunnel protocol that uses a header that is non-compliant with
the RFC for that protocol. Non-compliant headers indicate suspicious
packets. This option causes the firewall to verify GRE headers against
RFC 2890. Do not enable this option if your firewall
is tunneling GRE with a device that implements a version of GRE
older than RFC 2890. | |
Drop packet if unknown protocol inside tunnel | (Optional) Drop packets that contain
a protocol inside the tunnel that the firewall cannot identify. | |
| Return Scanned VXLAN Tunnel to Source | (Optional) Enable this option to
return the traffic to the originating VXLAN tunnel endpoint (VTEP).
For example, use this option to return the encapsulated packet to
the source VTEP. Supported only on Layer 3, Layer 3 subinterface,
aggregate-interface Layer 3, and VLAN. | |
Enable Security Options | InspectionSecurity Options | (Optional) Enable Security
Options to assign security zones for separate Security
policy treatment of tunnel content. The inner content source will belong
to the Tunnel Source Zone you specify and the
inner content destination will belong to the Tunnel Destination
Zone you specify. If you do not Enable
Security Options, by default the inner content source
belongs to the same zone as the outer tunnel source, and the inner
content destination belongs to the same zone as the outer tunnel
destination. Therefore, both the inner content source and destination
are subject to the same Security policies that apply to the source
and destination zones of the outer tunnel. |
Tunnel Source Zone | If you Enable Security Options,
select a tunnel zone that you created, and the inner content will
use this source zone for the purpose of policy enforcement. Otherwise,
by default the inner content source belongs to the same zone as
the outer tunnel source, and the policies of the outer tunnel source
zone apply to the inner content source zone also. | |
Tunnel Destination Zone | If you Enable Security Options,
select a tunnel zone that you created, and the inner content will
use this destination zone for the purpose of policy enforcement. Otherwise,
by default the inner content destination belongs to the same zone
as the outer tunnel destination, and the policies of the outer tunnel destination
zone apply to the inner content destination zone also. | |
Monitor Name | InspectionMonitor Options | (Optional) Enter a monitor name
to group similar traffic together for monitoring the traffic in
logs and reports. |
Monitor Tag (number) | (Optional) Enter a monitor tag
number that can group similar traffic together for logging and reporting (range
is 1 to 16,777,215). The tag number is globally defined. This
field does not apply to the VXLAN protocol. VXLAN logs automatically
use the VXLAN Network Identifier (VNI) from the VXLAN header. | |
Log at Session Start | (Optional) Select this option to
generate a log at the start of a cleartext tunnel session that matches
the Tunnel Inspection policy. This setting overrides the Log at
Session Start setting in the Security Policy rule that applies to
the session. Tunnel logs are stored separately from traffic
logs. The information with the outer tunnel session (GRE, non-encrypted
IPSec, or GTP-U) is stored in the Tunnel logs and the inner traffic
flows are stored in the Traffic logs. This separation allows you
to easily report on tunnel activity (as opposed to inner content activity)
with the ACC and reporting features. The
best practice for Tunnel logs is to Log at Session Start and Log
at Session End because, for logging, tunnels can be very long-lived.
For example, GRE tunnels can come up when the router boots and never
terminate until the router is rebooted. If you don’t select Log
at Session Start, you will never see that there is an active GRE
tunnel in the ACC. | |
Log at Session End | (Optional) Select this option to
capture a log at the end of a cleartext tunnel session that matches
the Tunnel Inspection policy. This setting overrides the Log at
Session End setting in the Security Policy rule that applies to
the session. | |
Log Forwarding | (Optional) Select a Log Forwarding
profile from the drop-down to specify where to forward tunnel inspection
logs. (This setting is separate from the Log Forwarding setting
in a Security policy rule, which applies to traffic logs.) | |
| Name | Tunnel ID By
default, if you do not configure a VXLAN ID, all traffic is
inspected. If you configure a VXLAN ID you can use it as a matching
criteria to restrict traffic inspection to specific VNIs. | (Optional) A name beginning with
an alphanumeric character and containing zero or more alphanumeric, underscore,
hyphen, period, and space characters. The Name describes
the VNIs you are grouping. The name is a convenience, and is not
a factor in logging, monitoring, or reporting. |
| VXLAN ID (VNI) | (Optional) Enter a single VNI,
a comma-separated list of VNIs, a range of up to 16 million VNIs
(with a hyphen as the separator), or a combination of these. For
example: 1-54,1024,1677011-1677038,94The
maximum VXLAN IDs per policy is 4,096. To preserve configuration
memory, use ranges where possible. | |
Any (target all devices) Panorama
only | Target | Enable (check) to push the policy rule to
all managed firewalls in the device group. |
Devices Panorama only | Select one or more managed firewalls associated
with the device group to push the policy rule to. | |
Tags Panorama only | Add one or more tags
to push the policy rule to managed firewalls in the device group
with the specified tag. | |
Target to all but these specified devices
and tags Panorama only | Enable (check) to push the policy rule to
all managed firewalls associated with the device group except for the
selected device(s) and tag(s). |