Building Blocks in a Tunnel Inspection Policy

Select
Policies
Tunnel Inspection
to add a Tunnel Inspection policy rule. You can use the firewall to inspect content of cleartext tunnel protocols (GRE, non-encrypted IPSec, and GTP-U) and leverage tunnel content inspection to enforce Security, DoS Protection, and QoS policies on traffic in these types of tunnels. All firewall models support tunnel content inspection of GRE and non-encrypted IPSec tunnels, but only PA-5200 Series and VM-Series firewalls support tunnel content inspection of GTP-U tunnels. The following table describes the fields you configure for a Tunnel Inspection policy.
Building Blocks in a Tunnel Inspection Policy
Configured In
Description
Name
General
Enter a name for the Tunnel Inspection policy beginning with an alphanumeric character and containing zero or more alphanumeric, underscore (_), hyphen (-), dot (.), and space characters.
Description
(
Optional
) Enter a description for the Tunnel Inspection policy.
Tags
(
Optional
) Enter one or more tags for reporting and logging purposes that identify the packets that are subject to the Tunnel Inspection policy.
Source Zone
Source
Add
one or more source zones of packets to which the Tunnel Inspection policy applies (default is
Any
).
Source Address
(
Optional
)
Add
source IPv4 or IPv6 addresses, address groups, or Geo Region address objects of packets to which the Tunnel Inspection policy applies (default is
Any
).
Source User
(
Optional
)
Add
source users of packets to which the Tunnel Inspection policy applies (default is
any
).
Negate
(
Optional
) Select
Negate
to choose any addresses except those specified.
Destination Zone
Destination
Add
one or more destination zones of packets to which the Tunnel Inspection policy applies (default is
Any
).
Destination Address
(
Optional
)
Add
destination IPv4 or IPv6 addresses, address groups, or Geo Region address objects of packets to which the Tunnel Inspection policy applies (default is
Any
).
Negate
(
Optional
) Select
Negate
to choose any addresses except those specified.
Tunnel Protocol
Inspection
Add
one or more tunnel
Protocols
that you want the firewall to inspect:
  • GRE
    —Firewall inspects packets that use Generic Route Encapsulation in the tunnel.
  • GTP-U
    —Firewall inspects packets that use the General Packet Radio Service (GPRS) tunneling protocol for user data (GTP-U) in the tunnel (supported only on PA-5200 Series and VM-Series firewalls).
  • Non-encrypted IPSec
    —Firewall inspects packets that use non-encrypted IPSec (Null Encrypted IPSec or transport mode AH IPSec) in the tunnel.
To remove a protocol from your list, select the protocol and
Delete
it.
Maximum Tunnel Inspection Levels
Inspection
Inspect Options
Specify whether the firewall will inspect
One Level
(default) or
Two Levels (Tunnel In Tunnel)
of encapsulation.
Drop packet if over maximum tunnel inspection level
(
Optional
) Drop packets that contain more levels of encapsulation than you specified for Maximum Tunnel Inspection Levels.
Drop packet if tunnel protocol fails strict header check
(
Optional
) Drop packets that contain a tunnel protocol that uses a header that is non-compliant with the RFC for that protocol. Non-compliant headers indicate suspicious packets. This option causes the firewall to verify GRE headers against RFC 2890.
Do not enable this option if your firewall is tunneling GRE with a device that implements a version of GRE older than RFC 2890.
Drop packet if unknown protocol inside tunnel
(
Optional
) Drop packets that contain a protocol inside the tunnel that the firewall cannot identify.
Enable Security Options
Inspection
Security Options
(
Optional
)
Enable Security Options
to assign security zones for separate Security policy treatment of tunnel content. The inner content source will belong to the
Tunnel Source Zone
you specify and the inner content destination will belong to the
Tunnel Destination Zone
you specify.
If you do not
Enable Security Options
, by default the inner content source belongs to the same zone as the outer tunnel source, and the inner content destination belongs to the same zone as the outer tunnel destination. Therefore, both the inner content source and destination are subject to the same Security policies that apply to the source and destination zones of the outer tunnel.
Tunnel Source Zone
If you
Enable Security Options
, select a tunnel zone that you created, and the inner content will use this source zone for the purpose of policy enforcement.
Otherwise, by default the inner content source belongs to the same zone as the outer tunnel source, and the policies of the outer tunnel source zone apply to the inner content source zone also.
Tunnel Destination Zone
If you
Enable Security Options
, select a tunnel zone that you created, and the inner content will use this destination zone for the purpose of policy enforcement.
Otherwise, by default the inner content destination belongs to the same zone as the outer tunnel destination, and the policies of the outer tunnel destination zone apply to the inner content destination zone also.
Monitor Name
Inspection
Monitor Options
(
Optional
) Enter a monitor name to group similar traffic together for monitoring the traffic in logs and reports.
Monitor Tag (number)
(
Optional
) Enter a monitor tag number that can group similar traffic together for logging and reporting (range is 1 to 16,777,215). The tag number is globally defined.
Log at Session Start
(
Optional
) Select this option to generate a log at the start of a cleartext tunnel session that matches the Tunnel Inspection policy. This setting overrides the Log at Session Start setting in the Security Policy rule that applies to the session.
Tunnel logs are stored separately from traffic logs. The information with the outer tunnel session (GRE, non-encrypted IPSec, or GTP-U) is stored in the Tunnel logs and the inner traffic flows are stored in the Traffic logs. This separation allows you to easily report on tunnel activity (as opposed to inner content activity) with the ACC and reporting features.
The best practice for Tunnel logs is to Log at Session Start and Log at Session End because, for logging, tunnels can be very long-lived. For example, GRE tunnels can come up when the router boots and never terminate until the router is rebooted. If you don’t select Log at Session Start, you will never see that there is an active GRE tunnel in the ACC.
Log at Session End
(
Optional
) Select this option to capture a log at the end of a cleartext tunnel session that matches the Tunnel Inspection policy. This setting overrides the Log at Session End setting in the Security Policy rule that applies to the session.
Log Forwarding
(
Optional
) Select a Log Forwarding profile from the drop-down to specify where to forward tunnel inspection logs. (This setting is separate from the Log Forwarding setting in a Security policy rule, which applies to traffic logs.)

Related Documentation