Tunnel Inspection Logs
Focus
Focus

Tunnel Inspection Logs

Table of Contents

Tunnel Inspection Logs

Tunnel inspection logs are like traffic logs for tunnel sessions; they display entries of non-encrypted tunnel sessions. To prevent double counting, the firewall saves only the inner flows in traffic logs, and sends tunnel sessions to the tunnel inspection logs. The tunnel inspection log entries include Receive Time (date and time the log was received), the tunnel ID, monitor tag, session ID, the Security rule applied to the tunnel session, number of bytes in the session, parent session ID (session ID for the tunnel session), source address, source user and source zone, destination address, destination user, and destination zone.
When the Decryption logs introduced in PAN-OS 10.1 are enabled, the firewall sends HTTP/2 logs as Tunnel Inspection logs (when Decryption logs are disabled, HTTP/2 logs are sent as Traffic logs), so you need to check the Tunnel Inspection logs instead of the Traffic logs for HTTP/2 events. In this case, you must also enable Tunnel Content Inspection to obtain the App-ID for HTTP/2 traffic.
Click the Detailed Log view to see details for an entry, such as the tunnel protocol used, and the flag indicating whether the tunnel content was inspected or not. Only a session that has a parent session will have the Tunnel Inspected flag set, which means the session is in a tunnel-in-tunnel (two levels of encapsulation). The first outer header of a tunnel will not have the Tunnel Inspected flag set.