Tunnel Inspection Logs
Tunnel inspection logs are like traffic logs for tunnel
sessions; they display entries of non-encrypted tunnel sessions.
To prevent double counting, the firewall saves only the inner flows
in traffic logs, and sends tunnel sessions to the tunnel inspection
logs. The tunnel inspection log entries include Receive Time (date
and time the log was received), the tunnel ID, monitor tag, session
ID, the Security rule applied to the tunnel session, number of bytes in
the session, parent session ID (session ID for the tunnel session),
source address, source user and source zone, destination address,
destination user, and destination zone.
When the Decryption logs introduced in PAN-OS 11.1 are
enabled, the firewall sends HTTP/2 logs as Tunnel Inspection logs
(when Decryption logs are disabled, HTTP/2 logs are sent as Traffic
logs), so you need to check the Tunnel Inspection logs instead of
the Traffic logs for HTTP/2 events. In this case, you must also
enable
Tunnel Content Inspection to
obtain the App-ID for HTTP/2 traffic.
Click the Detailed Log view to see details for an entry, such
as the tunnel protocol used, and the flag indicating whether the
tunnel content was inspected or not. Only a session that has a parent
session will have the Tunnel Inspected flag set, which means the
session is in a tunnel-in-tunnel (two levels of encapsulation).
The first outer header of a tunnel will not have the Tunnel Inspected
flag set.
