General Packet Radio Service (GPRS) Tunneling Protocol for
User Data (GTP-U)
You can use tunnel content inspection
to enforce Security, DoS Protection, and QoS policies on traffic
in these types of tunnels and traffic nested within another cleartext tunnel.
You can view inspected tunnel information to verify that tunneled
traffic complies with your corporate security and usage policies.
In enterprise environments, you can inspect traffic tunneled
using GRE or non-encrypted IPSec. For security, QoS, and reporting
reasons, you want to inspect the traffic inside the tunnel.
In Service Provider environments, you can use GTP-U to tunnel
data traffic from mobile devices. You want to inspect the inner
content without terminating the tunnel protocol, and you want to
record user data from users.
All firewall models
support tunnel content inspection of GRE and non-encrypted IPSec.
Only PA-5200 Series and VM-Series firewalls support tunnel content
inspection of GTP-U.
The firewall supports tunnel content
inspection on Ethernet interfaces and subinterfaces, AE interfaces,
VLAN interfaces, and VPN and LSVPN tunnels. Tunnel content inspection
is supported in Layer 3, Layer 2, virtual wire, and tap deployments. Tunnel
content inspection works on shared gateways and on virtual system-to-virtual
Create a Security policy to allow packets through
the tunnel that use a specific application, such as GRE.
Create a Tunnel Inspection policy that specifies the
criteria for packets that meet the policy, the tunnel protocols
to inspect, the maximum level of encapsulation to inspect, and separate
security policies for tunnel zones, if you choose.