Policies > Tunnel Inspection
You can configure the firewall to inspect the traffic content of the following cleartext tunnel protocols:
- Generic Routing Encapsulation (GRE)
- Non-encrypted IPSec traffic (NULL Encryption Algorithm for IPSec and transport mode AH IPSec)
- General Packet Radio Service (GPRS) Tunneling Protocol for User Data (GTP-U); supported only on PA-5200 Series and VM-Series firewalls.
You can use tunnel content inspection to enforce Security, DoS Protection, and QoS policies on traffic in these types of tunnels and on traffic nested within another cleartext tunnel (for example, Null Encrypted IPSec inside a GRE tunnel).
Create a Tunnel Inspection policy that, when matching an incoming packet, determines which tunnel protocols in the packet the firewall will inspect and that specifies the conditions under which the firewall drops or continues to process the packet. You can view tunnel inspection logs and tunnel activity in the ACC to verify that tunneled traffic complies with your corporate security and usage policies.
The firewall supports tunnel content inspection on Ethernet interfaces and subinterfaces, AE interfaces, VLAN interfaces, and VPN and LSVPN tunnels. The feature is supported in Layer 3, Layer 2, virtual wire, and tap deployments. Tunnel content inspection works on shared gateways and on virtual system-to-virtual system communications.
What do you want to know?
What are the fields available to create a Tunnel Inspection policy?
How can I view tunnel inspection logs?
Looking for more?
Tunnel Content Inspection
Tunnel Content Inspection The firewall can now perform tunnel content inspection on the traffic content of cleartext tunnel protocols: Generic Routing Encapsulation (GRE) ( RFC ...
Tunnel Content Inspection
Tunnel Content Inspection The firewall can inspect the traffic content of cleartext tunnel protocols: Generic Routing Encapsulation (GRE) ( RFC 2784 ) Non-encrypted IPSec traffic ...
Tunnel Content Inspection Overview
Tunnel Content Inspection Overview Your firewall can inspect tunnel content anywhere on the network where you do not have the opportunity to terminate the tunnel ...
Configure Tunnel Content Inspection
Configure Tunnel Content Inspection Perform this task to configure tunnel content inspection for a tunnel protocol that you allow in a tunnel. Create a Security ...
Building Blocks in a Tunnel Inspection Policy
Building Blocks in a Tunnel Inspection Policy The following table describes the fields you configure for a Tunnel Inspection policy. Building Blocks in a Tunnel ...
Networking Features New Networking Features Description Tunnel Content Inspection The firewall can now inspect the traffic content of cleartext tunnel protocols: Generic Routing Encapsulation (GRE) ...
View Tunnel Information in Logs
View Tunnel Information in Logs You can view Tunnel Inspection logs themselves or view tunnel inspection information in other types of logs. View Tunnel inspection ...
Tunnel Inspection Logs
Tunnel Inspection Logs Tunnel inspection logs are like traffic logs for tunnel sessions; they display entries of non-encrypted tunnel sessions. To prevent double counting, the ...
GTP Protection Profile
GTP Protection Profile The GTP Protection profile ( Objects Security Profiles GTP Protection ) enables the firewall to inspect GTP traffic. The options in the ...