Tunnel Content Inspection Logging

For tunnel content inspection, override log settings for Security policy rules to log cleartext tunnel sessions at session start, session end, or both.
To easily view tunnel inspection logs for cleartext tunnels and to separate tunnel inspection logs from traffic logs, you can now configure tunnel content inspection logging and log forwarding. You can configure tunnel content inspection to log tunnel sessions at the start of a session, the end of a session, or both. These log settings override the Security policy rule settings that would otherwise control the tunnel inspection logs. You can also override log forwarding settings in Security policy rules that control traffic logs by configuring tunnel inspection log settings to store tunnel logs separately from traffic logs. The tunnel inspection logs store the outer tunnel (GRE, non-encrypted IPSec, or GTP-U) sessions and the traffic logs store the inner traffic flows. This allows you to easily report on tunnel activity (as opposed to inner content activity) using the ACC and reporting features.
You can create a Log Forwarding profile to specify where to send tunnel inspection logs. A Log Forwarding profile for tunnel inspection is separate from a Log Forwarding profile specified in a Security policy rule, which applies to traffic logs.
When you view a detailed tunnel inspection log, the log now includes the name of the Tunnel Inspection policy rule that applied to the session captured in the log, which makes it easier to track information about non-encrypted tunnel traffic.
  1. Specify logging of sessions that match a tunnel inspection policy rule and configure log forwarding.
    1. Select
      Policies
      Tunnel Inspection
      and select a Tunnel Inspection policy rule.
    2. Select
      Inspection
      Monitor Options
      .
    3. Select
      Override Security Rule Log Setting
      .
    4. Select
      Log at Session Start
      and
      Log at Session End
      .
    5. Select a
      Log Forwarding
      profile to determine where the firewall forwards tunnel logs for sessions that match the Tunnel Inspection policy rule.
  2. View tunnel inspection logs.
    1. Select
      Monitor
      Logs
      Tunnel Inspection
      .
    2. Click Detailed Log View ( detail_log_view_icon.png ) to see details about a tunnel inspection log.

Related Documentation