Configure Tunnel Content Inspection

Perform this task to configure tunnel content inspection for a tunnel protocol that you allow in a tunnel.
  1. Create a Security policy to allow packets through the tunnel from the source zone to the destination zone that use a specific application, such as the GRE application.
    The firewall can create tunnel inspection logs at the start or end of a session. When you specify
    Actions
    for the Security policy rule, select
    Log at Session Start
    for long-lived tunnel sessions such as GRE sessions.
  2. Create a Tunnel Inspection policy rule.
    1. Select
      Policies
      Tunnel Inspection
      and
      Add
      a policy rule.
    2. On the
      General
      tab, enter a Tunnel Inspection policy rule
      Name
      , beginning with an alphanumeric character and containing zero or more alphanumeric, underscore (_), hyphen (-), dot (.), and space characters.
    3. (
      Optional
      ) Enter a
      Description
      .
    4. (
      Optional
      ) Specify a
      Tag
      that identifies the packets that are subject to the Tunnel Inspection policy rule, for reporting and logging purposes.
  3. Specify the criteria that determine the source of packets to which the Tunnel Inspection policy rule applies.
    1. Select the
      Source
      tab.
    2. Add
      a
      Source Zone
      from the list of zones. The default is
      Any
      zone.
    3. (
      Optional
      )
      Add
      a
      Source Address
      . You can enter an IPv4 or IPv6 address, an address group, or a Geo Region address object. The default is
      Any
      source address.
    4. (
      Optional
      ) Select
      Negate
      to choose any addresses except the specified ones.
    5. (
      Optional
      )
      Add
      a
      Source User
      . The default is
      any
      source user.
      Known-user
      is a user who has authenticated; an
      Unknown
      user has not authenticated.
  4. Specify the criteria that determine the destination of packets to which the Tunnel Inspection policy rule applies.
    1. Select the
      Destination
      tab.
    2. Add
      a
      Destination Zone
      from the list of zones. The default is
      Any
      zone.
    3. (
      Optional
      )
      Add
      a
      Destination Address
      . You can enter an IPv4 or IPv6 address, an address group, or a Geo Region address object. The default is
      Any
      destination address.
      You can also configure a new Address or Address Group.
    4. (
      Optional
      ) Select
      Negate
      to choose any addresses except the specified ones.
  5. Specify the tunnel protocols the firewall will inspect for this rule.
    1. Select the
      Inspection
      tab.
    2. Add
      one or more tunnel
      Protocols
      that you want the firewall to inspect:
      • GRE
        —Firewall inspects packets that use Generic Route Encapsulation in the tunnel.
      • GTP-U
        —Firewall inspects packets that use General Packet Radio Service (GPRS) Tunneling Protocol for User Data (GTP-U) in the tunnel.
      • Non-encrypted IPSec
        —Firewall inspects packets that use non-encrypted IPSec (Null Encrypted IPSec or transport mode AH IPSec) in the tunnel.
  6. Specify how many levels of encapsulation the firewall inspects and the conditions under which the firewall drops a packet.
    1. Select
      Inspect Options
      .
    2. Select the
      Maximum Tunnel Inspection Levels
      that the firewall will inspect:
      • One Level
        —Firewall inspects content that is in the outer tunnel only (default).
      • Two Levels (Tunnel In Tunnel)
        —Firewall inspects content that is in the outer tunnel and content that is in the inner tunnel.
    3. Select the following to specify whether the firewall drops a packet under this condition:
      1. Drop packet if over maximum tunnel inspection level
        —Firewall drops a packet that contains more levels of encapsulation than are configured for
        Maximum Tunnel Inspection Levels
        .
      2. Drop packet if tunnel protocol fails strict header check
        —Firewall drops a packet that contains a tunnel protocol that uses a header that is non-compliant with the RFC for the protocol. Non-compliant headers can indicate suspicious packets. This option causes the firewall to verify GRE headers against RFC 2890.
        If your firewall is tunneling GRE with a device that implements a version of GRE older than RFC 2890, you shouldn’t enable the option to
        Drop packet if tunnel protocol fails strict header check
        .
      3. Drop packet if unknown protocol inside tunnel
        —Firewall drops a packet that contains a protocol inside the tunnel that the firewall can’t identify.
        For example, if this option is selected, the firewall drops encrypted IPSec packets that match the Tunnel Inspection policy rule because the firewall can’t read them. Thus, you can allow IPSec packets, and the firewall will allow only null-encrypted IPSec and AH IPSec packets.
    4. Click
      OK
      .
  7. Manage Tunnel Inspection policy rules.
    Use the following to manage Tunnel Inspection policy rules:
    • (Filter field)—Displays only the tunnel policy rules named in the filter field.
    • Delete
      —Removes selected tunnel policy rules.
    • Clone
      —An alternative to the
      Add
      button; duplicates the selected rule with a new name, which you can then revise.
    • Enable
      —Enables the selected tunnel policy rules.
    • Disable
      —Disables the selected tunnel policy rules.
    • Move
      —Moves the selected tunnel policy rules up or down in the list; packets are evaluated against the rules in order from the top down.
    • Highlight Unused Rules
      —Highlights tunnel policy rules that no packets have matched since the last time the firewall was restarted.
  8. (
    Optional
    ) Create a tunnel source zone and tunnel destination zone for tunnel content and configure a Security policy rule for each zone.
    The best practice is to create tunnel zones for your tunnel traffic. Thus, the firewall creates separate sessions for tunneled and non-tunneled packets that have the same five-tuple (source IP address and port, destination IP address and port, and protocol).
    Assigning tunnel zones to tunnel traffic on a PA-5200 Series firewall causes the firewall to do tunnel inspection in software; tunnel inspection isn’t offloaded to hardware.
    1. If you want tunnel content to be subject to different Security policy rules from the Security policy rules for the zone of the outer tunnel (configured earlier), select
      Network
      Zones
      and
      Add
      a
      Name
      for the Tunnel Source Zone.
    2. For
      Location
      , select the virtual system.
    3. For
      Type
      , select
      Tunnel
      .
    4. Click
      OK
      .
    5. Repeat these substeps to create the Tunnel Destination Zone.
    6. Configure a Security Policy Rule for the Tunnel Source Zone.
      Because you might not know the originator of the tunnel traffic or the direction of the traffic flow and you don’t want to inadvertently prohibit traffic for an application through the tunnel, specify both tunnel zones as the
      Source Zone
      and specify both tunnel zones as the
      Destination Zone
      in your Security policy rule, or select
      Any
      for both the source and destination zones; then specify the
      Applications
      .
    7. Configure a Security Policy Rule for the Tunnel Destination Zone. The tip for configuring a Security policy rule for the Tunnel Source Zone applies to the Tunnel Destination Zone also.
  9. (
    Optional
    ) Specify the Tunnel Source Zone and Tunnel Destination Zone for the inner content.
    1. Specify the Tunnel Source Zone and Tunnel Destination Zone you just added as the zones for the inner content. Select
      Policies
      Tunnel Inspection
      and on the
      General
      tab, select the
      Name
      of the Tunnel Inspection policy rule you created.
    2. Select
      Inspection
      .
    3. Select
      Security Options
      .
    4. Select
      Enable Security Options
      to cause the inner content source to belong to the
      Tunnel Source Zone
      you specify, and to cause the inner content destination to belong to the
      Tunnel Destination Zone
      you specify. (Default is disabled.)
      If you don’t
      Enable Security Options
      , the inner content source belongs to the same source zone as the outer tunnel source, and the inner content destination belongs to the same destination zone as the outer tunnel destination, and they are therefore subject to the same Security policy rules that apply to those outer zones.
    5. For
      Tunnel Source Zone
      , select the appropriate tunnel zone you created in the prior step so that the policies associated with that zone apply to the tunnel source zone. Otherwise, by default the inner content will use the same source zone that is used in the outer tunnel, and the policies of the outer tunnel source zone apply to the inner content source zone also.
    6. For
      Tunnel Destination Zone
      , select the appropriate tunnel zone you created in the prior step so that the policies associated with that zone apply to the tunnel destination zone. Otherwise, by default the inner content will use the same destination zone that is used in the outer tunnel, and the policies of the outer tunnel destination zone apply to the inner content destination zone also.
      If you configure a
      Tunnel Source Zone
      and
      Tunnel Destination Zone
      for the tunnel inspection policy rule, you should configure a specific
      Source Zone
      (in Step 3) and a specific
      Destination Zone
      (in Step 4) in the match criteria of the tunnel inspection policy rule, instead of specifying a
      Source Zone
      of
      Any
      and a
      Destination Zone
      of
      Any
      . This tip ensures the direction of zone reassignment corresponds to the parent zones.
    7. Click
      OK
      .
  10. (
    Optional
    ) If you enabled
    Rematch Sessions
    (
    Device
    Setup
    Session
    ), ensure the firewall doesn’t drop existing sessions when you create or revise a Tunnel Inspection policy, by disabling
    Reject Non-SYN TCP
    for the zones that control your tunnel’s Security policies.
    The firewall displays the following warning when you:
    • Create a Tunnel Inspection policy rule.
    • Edit a Tunnel Inspection policy rule by adding a
      Protocol
      or by increasing the
      Maximum Tunnel Inspection Levels
      from
      One Level
      to
      Two Levels
      .
    • Enable Security Options
      in the
      Security Options
      tab by either adding new zones or changing one zone to another zone.
    Warning: Enabling tunnel inspection policies on existing tunnel sessions will cause existing TCP sessions inside the tunnel to be treated as non-syn-tcp flows. To ensure existing sessions are not dropped when the tunnel inspection policy is enabled, set the
    Reject Non-SYN TCP
    setting for the zone(s) to
    no
    using a Zone Protection profile and apply it to the zones that control the tunnel’s security policies. Once the existing sessions have been recognized by the firewall, you can re-enable the
    Reject Non-SYN TCP
    setting by setting it to
    yes
    or
    global
    .
    1. Select
      Network
      Network Profiles
      Zone Protection
      and
      Add
      a profile.
    2. Enter a
      Name
      for the profile.
    3. Select
      Packet Based Attack Protection
      TCP Drop
      .
    4. For
      Reject Non-SYN TCP
      , select
      no
      .
    5. Click
      OK
      .
    6. Select
      Network
      Zones
      and select the zone that controls your tunnel’s security policies.
    7. For
      Zone Protection Profile
      , select the Zone Protection profile you just created.
    8. Click
      OK
      .
    9. Repeat the prior three steps in this section to apply the Zone Protection profile to additional zones that control your tunnel’s Security policies.
    10. After the firewall has recognized the existing sessions, you can re-enable
      Reject Non-SYN TCP
      by setting it to
      yes
      or
      global
      .
  11. Tag tunnel traffic for aggregated logging and reporting across firewalls or outside the firewall.
    If you tag tunnel traffic, you can later filter on the Monitor Tag in the Tunnel Inspection log and use the ACC to view tunnel activity based on Monitor Tag.
    1. Select
      Policies
      Tunnel Inspection
      and select the Tunnel Inspection policy rule you created.
    2. Select
      Inspection
      Monitor Options
      .
    3. Enter a
      Monitor Name
      to group similar traffic together for purposes of logging and reporting.
    4. Enter a
      Monitor Tag (number)
      to group similar traffic together for logging and reporting (range is 1-16,777,215). The tag number is globally defined.
    5. Click
      OK
      .
  12. (
    Optional
    ) Limit fragmentation of traffic in a tunnel.
    1. Select
      Network
      Network Profiles
      Zone Protection
      and
      Add
      a profile by
      Name
      .
    2. Enter a
      Description
      .
    3. Select
      Packet Based Attack Protection
      IP Drop
      Fragmented traffic
      .
    4. Click
      OK
      .
    5. Select
      Network
      Zones
      and select the tunnel zone where you want to limit fragmentation.
    6. For
      Zone Protection Profile
      , select the profile you just created to apply the Zone Protection profile to the tunnel zone.
    7. Click
      OK
      .
  13. Commit your changes.
    Click
    Commit
    .

Related Documentation