General Packet Radio Service (GPRS) Tunneling Protocol for
User Data (GTP-U)
You can use tunnel content inspection to enforce Security, DoS
Protection, and QoS policies on traffic in these types of tunnels
and traffic nested within another cleartext tunnel (for example,
a Null Encrypted IPSec tunnel inside a GRE tunnel). You can view
tunnel inspection logs and tunnel activity in the ACC to verify
that tunneled traffic complies with your corporate security and
All firewall models support tunnel content inspection of GRE
and non-encrypted IPSec. Tunnel content inspection of GTP-U is supported
only on the PA-5200 Series and VM-Series firewalls. The firewalls
don’t terminate GRE, non-encrypted IPSec, or GTP-U tunnels.
Tunnel content inspection is for cleartext tunnels, not for VPN
or LSVPN tunnels, which carry encrypted traffic.