The firewall can inspect the traffic content of cleartext tunnel protocols without terminating the tunnel:

You can use tunnel content inspection to enforce Security, DoS Protection, and QoS policies on traffic in these types of tunnels and traffic nested within another cleartext tunnel (for example, a Null Encrypted IPSec tunnel inside a GRE tunnel). You can view tunnel inspection logs and tunnel activity in the ACC to verify that tunneled traffic complies with your corporate security and usage policies.

All firewall models support tunnel content inspection for GRE, non-encrypted IPSec, and VXLAN protocols. Only firewalls that support GTP security support GTP-U tunnel content inspection—see the PAN-OS Releases by Model that Support GTP and SCTP Security in the Compatibility Matrix.

By default, supported firewalls perform tunnel acceleration to improve performance and throughput for traffic going through GRE tunnels, VXLAN tunnels, and GTP-U tunnels. Tunnel acceleration provides hardware offloading to reduce the time it takes to perform flow lookups and allows the tunnel traffic to be distributed more efficiently based on the inner traffic. However, you can Disable Tunnel Acceleration to troubleshoot.