Configure Tunnel Content Inspection
Perform this task to configure tunnel content inspection for a tunnel protocol that you allow through a tunnel.
- Create a Security policy rule to allow packets that use a specific application (such as the GRE application) through the tunnel from the source zone to the destination zone.The firewall can create tunnel inspection logs at the start of a session, at the end of a session, or both. When you specifyActionsfor the Security policy rule, selectLog at Session Startfor long-lived tunnel sessions, such as GRE sessions.
- Create a tunnel inspection policy rule.
- SelectandPoliciesTunnel InspectionAdda policy rule.
- On theGeneraltab, enter a tunnel inspection policy ruleName, beginning with an alphanumeric character and containing zero or more alphanumeric, underscore (_), hyphen (-), dot (.), and space characters.
- (Optional) Enter aDescription.
- (Optional) For reporting and logging purposes, specify aTagthat identifies the packets that are subject to the Tunnel Inspection policy rule.
- Specify the criteria that determine the source of packets to which the tunnel inspection policy rule applies.
- Select theSourcetab.
- AddaSource Zonefrom the list of zones (default isAny).
- (Optional)AddaSource Address. You can enter an IPv4 or IPv6 address, an address group, or a Geo Region address object (Any).
- (Optional) SelectNegateto choose any addresses except those you specify.
- (Optional)AddaSource User(default isany).Known-useris a user who has authenticated; anUnknownuser has not authenticated.
- Specify the criteria that determine the destination of packets to which the tunnel inspection policy rule applies.
- Select theDestinationtab.
- AddaDestination Zonefrom the list of zones (default isAny).
- (Optional)AddaDestination Address. You can enter an IPv4 or IPv6 address, an address group, or a Geo Region address object (default isAny).You can also configure a new address or address group.
- (Optional) SelectNegateto choose any addresses except those you specify.
- Specify the tunnel protocols that the firewall will inspect for this rule.
- Select theInspectiontab.
- Addone or more tunnelProtocolsthat you want the firewall to inspect:
- GRE—Firewall inspects packets that use Generic Route Encapsulation (GRE) in the tunnel.
- GTP-U—Firewall inspects packets that use General Packet Radio Service (GPRS) Tunneling Protocol for User Data (GTP-U) in the tunnel.
- Non-encrypted IPSec—Firewall inspects packets that use non-encrypted IPSec (Null Encrypted IPSec or transport mode AH IPSec) in the tunnel.
- Specify how many levels of encapsulation the firewall inspects and the conditions under which the firewall drops a packet.
- SelectInspect Options.
- Select theMaximum Tunnel Inspection Levelsthat the firewall will inspect:
- One Level(default)—Firewall inspects content that is in the outer tunnel only.
- Two Levels (Tunnel In Tunnel)—Firewall inspects content that is in the outer tunnel and content that is in the inner tunnel.
- Select the following to specify whether the firewall drops a packet under each condition:
- Drop packet if over maximum tunnel inspection level—Firewall drops a packet that contains more levels of encapsulation than are configured forMaximum Tunnel Inspection Levels.
- Drop packet if tunnel protocol fails strict header check—Firewall drops a packet that contains a tunnel protocol that uses a header that is non-compliant with the RFC for the protocol. Non-compliant headers can indicate suspicious packets. This option causes the firewall to verify GRE headers against RFC 2890.
- Drop packet if unknown protocol inside tunnel—Firewall drops a packet that contains a protocol inside the tunnel that the firewall can’t identify.For example, if this option is selected, the firewall drops encrypted IPSec packets that match the tunnel inspection policy rule because the firewall can’t read them. Thus, you can allow IPSec packets and the firewall will allow only null-encrypted IPSec and AH IPSec packets.
- Manage tunnel inspection policy rules.Use the following to manage tunnel inspection policy rules:
- (Filter field)—Displays only the tunnel policy rules named in the filter field.
- Delete—Removes selected tunnel policy rules.
- Clone—An alternative to theAddbutton; duplicates the selected rule with a new name, which you can then revise.
- Enable—Enables the selected tunnel policy rules.
- Disable—Disables the selected tunnel policy rules.
- Move—Moves the selected tunnel policy rules up or down in the list; packets are evaluated against the rules in order from the top down.
- Highlight Unused Rules—Highlights tunnel policy rules that no packets have matched since the last time the firewall was restarted.
- (Optional) Create a tunnel source zone and tunnel destination zone for tunnel content and configure a Security policy rule for each zone.The best practice is to create tunnel zones for your tunnel traffic. Thus, the firewall creates separate sessions for tunneled and non-tunneled packets that have the same five-tuple (source IP address and port, destination IP address and port, and protocol).Assigning tunnel zones to tunnel traffic on a PA-5200 Series firewall causes the firewall to do tunnel inspection in software; tunnel inspection is not offloaded to hardware.
- If you want tunnel content to be subject to Security policy rules that are different from the Security policy rules for the zone of the outer tunnel (configured earlier), selectandNetworkZonesAddaNamefor the Tunnel Source Zone.
- ForLocation, select the virtual system.
- ForType, selectTunnel.
- Repeat these substeps to create the Tunnel Destination Zone.
- Configure a Security policy rule for the Tunnel Source Zone.Because you might not know the originator of the tunnel traffic or the direction of the traffic flow and you don’t want to inadvertently prohibit traffic for an application through the tunnel, specify both tunnel zones as theSource Zoneand both tunnel zones as theDestination Zonein your Security policy rule, or selectAnyfor both the source and destination zones; then specify theApplications.
- Configure a Security policy rule for the Tunnel Destination Zone. The tip in the previous step for configuring a Security policy rule for the Tunnel Source Zone applies to the Tunnel Destination Zone, as well.
- (Optional) Specify the Tunnel Source Zone and Tunnel Destination Zone for the inner content.
- Specify the Tunnel Source Zone and Tunnel Destination Zone (that you just added) for the inner content. Selectand on thePoliciesTunnel InspectionGeneraltab, select theNameof the tunnel inspection policy rule you created.
- SelectSecurity Options.
- Enable Security Options(disabled by default) to cause the inner content source to belong to theTunnel Source Zoneyou specify and to cause the inner content destination to belong to theTunnel Destination Zoneyou specify.If you don’tEnable Security Options, the inner content source belongs to the same source zone as the outer tunnel source and the inner content destination belongs to the same destination zone as the outer tunnel destination, which means they are subject to the same Security policy rules that apply to those outer zones.
- ForTunnel Source Zone, select the appropriate tunnel zone you created in the previous step so that the policies associated with that zone apply to the tunnel source zone. Otherwise, by default, the inner content will use the same source zone that is used in the outer tunnel and the policies of the outer tunnel source zone apply to the inner content source zone, as well.
- ForTunnel Destination Zone, select the appropriate tunnel zone you created in the previous step so that the policies associated with that zone apply to the tunnel destination zone. Otherwise, by default, the inner content will use the same destination zone that is used in the outer tunnel and the policies of the outer tunnel destination zone apply to the inner content destination zone, as well.If you configure aTunnel Source ZoneandTunnel Destination Zonefor the tunnel inspection policy rule, you should configure a specificSource Zone(in Step 3) and a specificDestination Zone(in Step 4) in the match criteria of the tunnel inspection policy rule, instead of specifying aSource ZoneofAnyand aDestination ZoneofAny. This tip ensures the direction of zone reassignment corresponds appropriately towith the parent zones.
- (Optional) If you enabledRematch Sessions(), ensure the firewall doesn’t drop existing sessions when you create or revise a tunnel inspection policy by disablingDeviceSetupSessionReject Non-SYN TCPfor the zones that control your tunnel Security policy rules.The firewall displays the following warning when you:
Warning: Enabling tunnel inspection policies on existing tunnel sessions will cause existing TCP sessions inside the tunnel to be treated as non-syn-tcp flows. To ensure existing sessions are not dropped when the tunnel inspection policy is enabled, set theReject Non-SYN TCPsetting for the zone(s) tonousing a Zone Protection profile and apply it to the zones that control the tunnel’s security policies. Once the existing sessions have been recognized by the firewall, you can re-enable theReject Non-SYN TCPsetting by setting it toyesorglobal.
- Create a tunnel inspection policy rule.
- Edit a tunnel inspection policy rule by adding aProtocolor by increasing theMaximum Tunnel Inspection LevelsfromOne LeveltoTwo Levels.
- Enable Security Optionsin theSecurity Optionstab by either adding new zones or changing one zone to another zone.
- SelectandNetworkNetwork ProfilesZone ProtectionAdda profile.
- Enter aNamefor the profile.
- Select.Packet Based Attack ProtectionTCP Drop
- ForReject Non-SYN TCP, selectno.
- Selectand select the zone that controls your tunnel Security policy rules.NetworkZones
- ForZone Protection Profile, select the Zone Protection profile you just created.
- After the firewall has recognized the existing sessions, you can re-enableReject Non-SYN TCPby setting it toyesorglobal.
- Set monitoring options for traffic that matches a tunnel inspection policy rule.
- Selectand select the tunnel inspection policy rule you created.PoliciesTunnel Inspection
- Select.InspectionMonitor Options
- Enter aMonitor Nameto group similar traffic together for purposes of logging and reporting.
- Enter aMonitor Tag (number)to group similar traffic together for logging and reporting (range is 1 to 16,777,215). The tag number is globally defined.If you tag tunnel traffic, you can later filter on the Monitor Tag in the tunnel inspection log and use the ACC to view tunnel activity based on Monitor Tag.
- Override Security Rule Log Settingto enable logging and log forwarding options for sessions that meet the selected tunnel inspection policy rule. If you don’t select this setting, tunnel log generation and log forwarding are determined by the log settings for the Security policy rule that applies to the tunnel traffic. You can override log forwarding settings in Security policy rules that control traffic logs by configuring tunnel inspection log settings to store tunnel logs separately from traffic logs. The tunnel inspection logs store the outer tunnel (GRE, non-encrypted IPSec, or GTP-U) sessions and the traffic logs store the inner traffic flows.
- SelectLog at Session Startto log traffic at the start of a session.The best practice for Tunnel logs is to log both at session start and session end because tunnels can stay up for long periods of time. For example, GRE tunnels can come up when the router boots and never terminate until the router is rebooted. If you don’t log at session start, you will never see in the ACC that there is an active GRE tunnel.
- SelectLog at Session Endto log traffic at the end of a session.
- Select aLog Forwardingprofile that determines where the firewall forwards tunnel logs for sessions that meet the tunnel inspection rule. Alternatively, you can create a new Log Forwarding profile if you Configure Log Forwarding.
- (Optional) Limit fragmentation of traffic in a tunnel.
- SelectandNetworkNetwork ProfilesZone ProtectionAdda profile byName.
- Enter aDescription.
- Select.Packet Based Attack ProtectionIP DropFragmented traffic
- Selectand select the tunnel zone where you want to limit fragmentation.NetworkZones
- ForZone Protection Profile, select the profile you just created to apply the Zone Protection profile to the tunnel zone.
- Commityour changes.
Building Blocks in a Tunnel Inspection Policy
Building Blocks in a Tunnel Inspection Policy Select Policies Tunnel Inspection to add a Tunnel Inspection policy rule. You can use the firewall to inspect ...
Tunnel Content Inspection Overview
Tunnel Content Inspection Overview Your firewall can inspect tunnel content anywhere on the network where you do not have the opportunity to terminate the tunnel ...
Tunnel Content Inspection Logging
For tunnel content inspection, override log settings for Security policy rules to log cleartext tunnel sessions at session start, session end, or both. ...
Tunnel Inspection Logs
Tunnel Inspection Logs Tunnel inspection logs are like traffic logs for tunnel sessions; they display entries of non-encrypted tunnel sessions. To prevent double counting, the ...
Tunnel Inspection Log Fields
Tunnel Inspection Log Fields Format : FUTURE_USE, Receive Time, Serial Number, Type, Subtype, FUTURE_USE, Generated Time, Source IP, Destination IP, NAT Source IP, NAT Destination ...
View Tunnel Information in Logs
View Tunnel Information in Logs You can view Tunnel Inspection logs themselves or view tunnel inspection information in other types of logs. View Tunnel inspection ...
Packet-Based Attack Protection
Protect your network against bad IP, TCP, ICMP, IPv6, and ICMPv6 packets. ...
PAN-OS® 8.1 includes Tunnel Content Inspection Logging, Dynamic IP Address Support for Destination NAT, FQDN Support for IKE Gateway Peer IP Address, Configuration Capacity Improvements, ...
Policies > Tunnel Inspection
Policies > Tunnel Inspection You can configure the firewall to inspect the traffic content of the following cleartext tunnel protocols: Generic Routing Encapsulation (GRE) Non-encrypted ...