Building Blocks in a Tunnel Inspection Policy

The following table describes the fields you configure for a Tunnel Inspection policy.
Building Blocks in a Tunnel Inspection Policy
Configured In
Description
Name
General
Enter a name for the Tunnel Inspection policy beginning with an alphanumeric character and containing zero or more alphanumeric, underscore (_), hyphen (-), dot (.), and space characters.
Description
(Optional) Enter a description for the Tunnel Inspection policy.
Tags
(Optional) Enter one or more tags for reporting and logging purposes that identify the packets that are subject to the Tunnel Inspection policy.
Source Zone
Source
Add one or more source zones of packets to which the Tunnel Inspection policy applies (default is Any).
Source Address
(Optional) Add source IPv4 or IPv6 addresses, address groups, or Geo Region address objects of packets to which the Tunnel Inspection policy applies (default is Any).
Source User
(Optional) Add source users of packets to which the Tunnel Inspection policy applies (default is any).
Negate
(Optional) Select Negate to choose any addresses except the specified ones.
Destination Zone
Destination
Add one or more destination zones of packets to which the Tunnel Inspection policy applies (default is Any).
Destination Address
(Optional) Add destination IPv4 or IPv6 addresses, address groups, or Geo Region address objects of packets to which the Tunnel Inspection policy applies (default is Any).
Negate
(Optional) Select Negate to choose any addresses except the specified ones.
Tunnel Protocol
Inspection
Add one or more tunnel Protocols that you want the firewall to inspect:
  • GRE—Firewall inspects packets that use Generic Route Encapsulation in the tunnel.
  • GTP-U—Firewall inspects packets that use General Packet Radio Service (GPRS) Tunneling Protocol for User Data (GTP-U) in the tunnel (supported only on PA-5200 Series and VM-Series firewalls).
  • Non-encrypted IPSec—Firewall inspects packets that use non-encrypted IPSec (Null Encrypted IPSec or transport mode AH IPSec) in the tunnel.
To remove a protocol from your list, select and Delete it.
Maximum Tunnel Inspection Levels
InspectionInspect Options
Select the maximum level of tunnels the firewall will inspect: One Level (default) or Two Levels (Tunnel In Tunnel).
Drop packet if over maximum tunnel inspection level
(Optional) Drop packets that contain more levels of encapsulation than configured for Maximum Tunnel Inspection Levels.
Drop packet if tunnel protocol fails strict header check
(Optional) Drop packets that contain a tunnel protocol that uses a header that is non-compliant with the RFC for that protocol. Non-compliant headers can indicate suspicious packets. This option causes the firewall to verify GRE headers against RFC 2890.
Don’t enable this option if your firewall is tunneling GRE with a device that implements a version of GRE older than RFC 2890.
Drop packet if unknown protocol inside tunnel
(Optional) Drop packets that contain a protocol inside the tunnel that the firewall cannot identify.
Enable Security Options
InspectionSecurity Options
(Optional) Enable Security Options to assign security zones for separate Security policy treatment of tunnel content. The inner content source will belong to the Tunnel Source Zone you specify and the inner content destination will belong to the Tunnel Destination Zone you specify.
If you do not Enable Security Options, by default the inner content source belongs to the same zone as the outer tunnel source, and the inner content destination belongs to the same zone as the outer tunnel destination. Therefore, both the inner content source and destination are subject to the same Security policies that apply to the source and destination zones of the outer tunnel.
Tunnel Source Zone
If you Enable Security Options, select a tunnel zone that you created, and the inner content will use this source zone for the purpose of policy enforcement.
Otherwise, by default the inner content source belongs to the same source zone as the outer tunnel source, and the policies of the outer tunnel source zone apply to the inner content source zone also.
Tunnel Destination Zone
If you Enable Security Options, select a tunnel zone that you created, and the inner content will use this destination zone for the purpose of policy enforcement.
Otherwise, by default the inner content destination belongs to the same zone as the outer tunnel destination, and the policies of the outer tunnel destination zone apply to the inner content destination zone also.
Monitor Name
InspectionMonitor Options
(Optional) Enter a monitor name to group similar traffic together for monitoring the traffic in logs and reports.
Monitor Tag (number)
(Optional) Enter a monitor tag number that can group similar traffic together for logging and reporting (range is 1 to 16,777,215). The tag number is globally defined.

Related Documentation