Tunnel inspection logs are like traffic logs for tunnel
sessions; they display entries of non-encrypted tunnel sessions.
To prevent double counting, the firewall saves only the inner flows
in traffic logs, and sends tunnel sessions to the tunnel inspection logs.
The tunnel inspection log entries include Receive Time (date and
time the log was received), the tunnel ID, monitor tag, session
ID, the Security rule applied to the tunnel session, number of bytes
in the session, parent session ID (session ID for the tunnel session),
source address, source user and source zone, destination address,
destination user, and destination zone.
Click the Detailed Log view to see details for an entry, such
as the tunnel protocol used, and the flag indicating whether the
tunnel content was inspected or not. Only a session that has a parent
session will have the Tunnel Inspected flag set, which means the
session is in a tunnel-in-tunnel (two levels of encapsulation).
The first outer header of a tunnel will not have the Tunnel Inspected