Policies > Tunnel Inspection

You can configure the firewall to inspect the traffic content of the following cleartext tunnel protocols:
  • Generic Routing Encapsulation (GRE)
  • Non-encrypted IPSec traffic (NULL Encryption Algorithm for IPSec and transport mode AH IPSec)
  • General Packet Radio Service (GPRS) Tunneling Protocol for User Data (GTP-U); supported only on PA-5200 Series and VM-Series firewalls.
You can use tunnel content inspection to enforce Security, DoS Protection, and QoS policies on traffic in these types of tunnels and on traffic nested within another cleartext tunnel (for example, Null Encrypted IPSec inside a GRE tunnel).
Create a Tunnel Inspection policy that, when matching an incoming packet, determines which tunnel protocols in the packet the firewall will inspect and that specifies the conditions under which the firewall drops or continues to process the packet. You can view tunnel inspection logs and tunnel activity in the ACC to verify that tunneled traffic complies with your corporate security and usage policies.
The firewall supports tunnel content inspection on Ethernet interfaces and subinterfaces, AE interfaces, VLAN interfaces, and VPN and LSVPN tunnels. The feature is supported in Layer 3, Layer 2, virtual wire, and tap deployments. Tunnel content inspection works on shared gateways and on virtual system-to-virtual system communications.
What do you want to know?
See:
What are the fields available to create a Tunnel Inspection policy?
How can I view tunnel inspection logs?
Looking for more?

Related Documentation