Tunnel Content Inspection Logging
For tunnel content inspection, override log settings for Security policy rules to log cleartext tunnel sessions at session start, session end, or both.
To easily view tunnel inspection logs for cleartext tunnels and to separate tunnel inspection logs from traffic logs, you can now configure tunnel content inspection logging and log forwarding. You can configure tunnel content inspection to log tunnel sessions at the start of a session, the end of a session, or both. These log settings override the Security policy rule settings that would otherwise control the tunnel inspection logs. You can also override log forwarding settings in Security policy rules that control traffic logs by configuring tunnel inspection log settings to store tunnel logs separately from traffic logs. The tunnel inspection logs store the outer tunnel (GRE, non-encrypted IPSec, or GTP-U) sessions and the traffic logs store the inner traffic flows. This allows you to easily report on tunnel activity (as opposed to inner content activity) using the ACC and reporting features.
You can create a Log Forwarding profile to specify where to send tunnel inspection logs. A Log Forwarding profile for tunnel inspection is separate from a Log Forwarding profile specified in a Security policy rule, which applies to traffic logs.
When you view a detailed tunnel inspection log, the log now includes the name of the Tunnel Inspection policy rule that applied to the session captured in the log, which makes it easier to track information about non-encrypted tunnel traffic.
- Specify logging of sessions that match a tunnel
inspection policy rule and configure log forwarding.
- Select PoliciesTunnel Inspection and select a Tunnel Inspection policy rule.
- Select InspectionMonitor Options.
- Select Override Security Rule Log Setting.
- Select Log at Session Start and Log at Session End.
- Select a Log Forwarding profile to determine where the firewall forwards tunnel logs for sessions that match the Tunnel Inspection policy rule.
- View tunnel inspection logs.
- Select MonitorLogsTunnel Inspection.
- Click Detailed Log View ( ) to see details about a tunnel inspection log.
Configure Tunnel Content Inspection
Configure Tunnel Content Inspection Perform this task to configure tunnel content inspection for a tunnel protocol that you allow through a tunnel. Create a Security ...
Building Blocks in a Tunnel Inspection Policy
Building Blocks in a Tunnel Inspection Policy Select Policies Tunnel Inspection to add a Tunnel Inspection policy rule. You can use the firewall to inspect ...
Tunnel Content Inspection Overview
Tunnel Content Inspection Overview Your firewall can inspect tunnel content anywhere on the network where you do not have the opportunity to terminate the tunnel ...
Tunnel Inspection Logs
Tunnel Inspection Logs Tunnel inspection logs are like traffic logs for tunnel sessions; they display entries of non-encrypted tunnel sessions. To prevent double counting, the ...
View Tunnel Information in Logs
View Tunnel Information in Logs You can view Tunnel Inspection logs themselves or view tunnel inspection information in other types of logs. View Tunnel inspection ...
Tunnel Content Inspection
Tunnel Content Inspection The firewall can inspect the traffic content of cleartext tunnel protocols: Generic Routing Encapsulation (GRE) ( RFC 2784 ) Non-encrypted IPSec traffic ...
Policies > Tunnel Inspection
Policies > Tunnel Inspection You can configure the firewall to inspect the traffic content of the following cleartext tunnel protocols: Generic Routing Encapsulation (GRE) Non-encrypted ...
PAN-OS® 8.1 includes Tunnel Content Inspection Logging, Dynamic IP Address Support for Destination NAT, FQDN Support for IKE Gateway Peer IP Address, Configuration Capacity Improvements, ...
Tunnel Inspection Log Fields
Tunnel Inspection Log Fields Format : FUTURE_USE, Receive Time, Serial Number, Type, Subtype, FUTURE_USE, Generated Time, Source IP, Destination IP, NAT Source IP, NAT Destination ...