GRE Tunnel Overview

A GRE tunnel connects two endpoints in a point-to-point, logical link.
A GRE tunnel connects two endpoints (a firewall and another device) in a point-to-point, logical link. The firewall can terminate GRE tunnels; you can route or forward packets to a GRE tunnel. GRE tunnels are simple to use and often the tunneling protocol of choice for point-to-point connectivity, especially to services in the cloud or to partner networks.
Create a GRE tunnel when you want to direct packets that are destined for an IP address to take a certain point-to-point path, for example to a cloud-based proxy or to a partner network. The packets travel in the GRE tunnel (over a transit network such as the internet) to the cloud service while on their way to the destination address. Thus the cloud service can enforce its services or policies on the packets.
The following figure is an example of a GRE tunnel connecting the firewall across the internet to a cloud service.
For better performance and to avoid single points of failure, split multiple connections to the firewall among multiple GRE tunnels rather than use a single tunnel. Each GRE tunnel needs a tunnel interface.
When the firewall allows a packet (based on a policy match) and the packet egresses to a GRE tunnel interface, the firewall adds GRE encapsulation; it doesn’t generate a session. The firewall does no Security policy rule lookup for the GRE-encapsulated traffic; therefore, you don’t need a Security policy rule for the GRE traffic the firewall encapsulates. However, when the firewall receives GRE traffic, it generates a session and applies all policies to the GRE IP header in addition to the encapsulated traffic. The firewall treats the received GRE packet like any other packet. Therefore:
  • If the firewall receives the GRE packet on an interface that has the same zone as the tunnel interface associated with the GRE tunnel (for example, tunnel.1), the source zone is the same as the destination zone. By default, traffic is allowed within a zone (intra-zone traffic), so the ingress GRE traffic is allowed by default.
  • However, if you configured your own intra-zone Security policy rule to deny such traffic, you must explicitly allow GRE traffic.
  • Likewise, if the zone of the tunnel interface associated with the GRE tunnel (for example, tunnel.1) is a different zone from that of the ingress interface, you must configure a Security policy rule to allow the GRE traffic.
Because the firewall encapsulates the tunneled packet in a GRE packet, the additional 24 bytes of GRE header automatically result in a smaller Maximum Segment Size (MSS) in the maximum transmisson unit (MTU). If you don’t change the IPv4 MSS Adjustment Size for the interface, by default the firewall reduces the MTU by 64 bytes (40 bytes of IP header + 24 bytes of GRE header). This means if the default MTU is 1500 bytes, the MSS will be 1436 bytes (1500 - 40 - 24 = 1436). If you configure an MSS Adjustment Size of 300 bytes, for example, the MSS will only be 1176 bytes (1500 - 300 - 24 = 1176).
Routing a GRE or IPSec tunnel to a GRE tunnel is not supported. However, you can route a GRE tunnel to an IPSec tunnel. A GRE tunnel does not support QoS. The firewall does not support a single interface acting as both a GRE tunnel endpoint and a decryption broker. GRE tunneling does not support NAT between GRE tunnel endpoints.
If you need to connect to another vendor’s network, we recommend you Set Up an IPSec Tunnel, not a GRE tunnel. You should use a GRE tunnel if that is the only point-to-point tunnel mechanism that the vendor supports. You can also enable GRE over IPSec if the remote endpoint requires that by clicking Add GRE Encapsulation. You would add GRE encapsulation in cases where the remote endpoint requires traffic to be encapsulated within a GRE tunnel before IPSec encrypts the traffic. For example, some implementations require multicast traffic to be encapsulated before IPSec encrypts it. If this is a requirement for your environment and the GRE tunnel and IPSec tunnel share the same IP address, select Add GRE Encapsulation when you set up the IPSec tunnel.
If you aren’t planning to terminate a GRE tunnel on the firewall, but you want the ability to inspect and control traffic passing through the firewall inside a GRE tunnel, don’t create a GRE tunnel. Instead, perform Tunnel Content Inspection of GRE traffic. With tunnel content inspection, you are inspecting and enforcing policy on GRE traffic passing through the firewall, not creating a point-to-point, logical link to direct traffic.

Related Documentation