Tunnel Content Inspection

The firewall can inspect the traffic content of cleartext tunnel protocols:
You can use tunnel content inspection to enforce Security, DoS Protection, and QoS policies on traffic in these types of tunnels and traffic nested within another cleartext tunnel (for example, a Null Encrypted IPSec tunnel inside a GRE tunnel). You can view tunnel inspection logs and tunnel activity in the ACC to verify that tunneled traffic complies with your corporate security and usage policies.
All firewall models support tunnel content inspection of GRE and non-encrypted IPSec. Tunnel content inspection of GTP-U is supported only on the PA-5200 Series and VM-Series firewalls. The firewalls don’t terminate GRE, non-encrypted IPSec, or GTP-U tunnels.
Tunnel content inspection is for cleartext tunnels, not for VPN or LSVPN tunnels, which carry encrypted traffic.

Related Documentation