Configure Tunnel Content Inspection

Perform this task to configure tunnel content inspection for a tunnel protocol that you allow through a tunnel.
  1. Create a Security policy rule to allow packets that use a specific application (such as the GRE application) through the tunnel from the source zone to the destination zone.
    The firewall can create tunnel inspection logs at the start of a session, at the end of a session, or both. When you specify
    Actions
    for the Security policy rule, select
    Log at Session Start
    for long-lived tunnel sessions, such as GRE sessions.
  2. Create a tunnel inspection policy rule.
    1. Select
      Policies
      Tunnel Inspection
      and
      Add
      a policy rule.
    2. On the
      General
      tab, enter a tunnel inspection policy rule
      Name
      , beginning with an alphanumeric character and containing zero or more alphanumeric, underscore, hyphen, period, and space characters.
    3. (
      Optional
      ) Enter a
      Description
      .
    4. (
      Optional
      ) For reporting and logging purposes, specify a
      Tag
      that identifies the packets that are subject to the Tunnel Inspection policy rule.
  3. Specify the criteria that determine the source of packets to which the tunnel inspection policy rule applies.
    1. Select the
      Source
      tab.
    2. Add
      a
      Source Zone
      from the list of zones (default is
      Any
      ).
    3. (
      Optional
      )
      Add
      a
      Source Address
      . You can enter an IPv4 or IPv6 address, an address group, or a Geo Region address object (
      Any
      ).
    4. (
      Optional
      ) Select
      Negate
      to choose any addresses except those you specify.
    5. (
      Optional
      )
      Add
      a
      Source User
      (default is
      any
      ).
      Known-user
      is a user who has authenticated; an
      Unknown
      user has not authenticated.
  4. Specify the criteria that determine the destination of packets to which the tunnel inspection policy rule applies.
    1. Select the
      Destination
      tab.
    2. Add
      a
      Destination Zone
      from the list of zones (default is
      Any
      ).
    3. (
      Optional
      )
      Add
      a
      Destination Address
      . You can enter an IPv4 or IPv6 address, an address group, or a Geo Region address object (default is
      Any
      ).
      You can also configure a new address or address group.
    4. (
      Optional
      ) Select
      Negate
      to choose any addresses except those you specify.
  5. Specify the tunnel protocols that the firewall will inspect for this rule.
    1. Select the
      Inspection
      tab.
    2. Add
      one or more tunnel
      Protocols
      that you want the firewall to inspect:
      • GRE
        —Firewall inspects packets that use Generic Route Encapsulation (GRE) in the tunnel.
      • GTP-U
        —Firewall inspects packets that use General Packet Radio Service (GPRS) Tunneling Protocol for User Data (GTP-U) in the tunnel.
      • Non-encrypted IPSec
        —Firewall inspects packets that use non-encrypted IPSec (Null EncryVpted IPSec or transport mode AH IPSec) in the tunnel.
      • VXLAN
        —Firewall inspects packets that use the Virtual Extensible Local Area Network (VXLAN) tunneling protocol in the tunnel.
  6. Specify how many levels of encapsulation the firewall inspects and the conditions under which the firewall drops a packet.
    1. Select
      Inspect Options
      .
    2. Select the
      Maximum Tunnel Inspection Levels
      that the firewall will inspect:
      • One Level
        (default)—Firewall inspects content that is in the outer tunnel only.
        For VXLAN, the firewall inspects a VXLAN payload to find the encapsulated content or applications within the tunnel. You must select
        One Level
        because VXLAN inspection only occurs on the outer tunnel.
      • Two Levels (Tunnel In Tunnel)
        —Firewall inspects content that is in the outer tunnel and content that is in the inner tunnel.
    3. Select any, all, or none of the following to specify whether the firewall drops a packet under each condition:
      • Drop packet if over maximum tunnel inspection level
        —Firewall drops a packet that contains more levels of encapsulation than are configured for
        Maximum Tunnel Inspection Levels
        .
      • Drop packet if tunnel protocol fails strict header check
        —Firewall drops a packet that contains a tunnel protocol that uses a header that is non-compliant with the RFC for the protocol. Non-compliant headers can indicate suspicious packets. This option causes the firewall to verify GRE headers against RFC 2890.
        If your firewall is tunneling GRE with a device that implements a version of GRE older than RFC 2890, you should not enable the option to
        Drop packet if tunnel protocol fails strict header check
        .
      • Drop packet if unknown protocol inside tunnel
        —Firewall drops a packet that contains a protocol inside the tunnel that the firewall can’t identify.
        For example, if this option is selected, the firewall drops encrypted IPSec packets that match the tunnel inspection policy rule because the firewall can’t read them. Thus, you can allow IPSec packets and the firewall will allow only null-encrypted IPSec and AH IPSec packets.
      • Return scanned VXLAN tunnel to source
        —When traffic is redirected (steered) to the firewall, VXLAN encapsulates the packet. Traffic steering is most common in public cloud environments. Enable
        Return scanned VXLAN tunnel to source
        to return the encapsulated packet to the originating VXLAN tunnel endpoint (VTEP). This option is only supported on Layer 3, Layer 3 subinterface, aggregate interface Layer 3, and VLAN.
    4. Click
      OK
      .
  7. Manage tunnel inspection policy rules.
    Use the following to manage tunnel inspection policy rules:
    • (Filter field)—Displays only the tunnel policy rules named in the filter field.
    • Delete
      —Removes selected tunnel policy rules.
    • Clone
      —An alternative to the
      Add
      button; duplicates the selected rule with a new name, which you can then revise.
    • Enable
      —Enables the selected tunnel policy rules.
    • Disable
      —Disables the selected tunnel policy rules.
    • Move
      —Moves the selected tunnel policy rules up or down in the list; packets are evaluated against the rules in order from the top down.
    • Highlight Unused Rules
      —Highlights tunnel policy rules that no packets have matched since the last time the firewall was restarted.
  8. (
    Optional
    ) Create a tunnel source zone and tunnel destination zone for tunnel content and configure a Security policy rule for each zone.
    The best practice is to create tunnel zones for your tunnel traffic. Thus, the firewall creates separate sessions for tunneled and non-tunneled packets that have the same five-tuple (source IP address and port, destination IP address and port, and protocol).
    Assigning tunnel zones to tunnel traffic on a PA-5200 Series firewall causes the firewall to do tunnel inspection in software; tunnel inspection is not offloaded to hardware.
    1. If you want tunnel content to be subject to Security policy rules that are different from the Security policy rules for the zone of the outer tunnel (configured earlier), select
      Network
      Zones
      and
      Add
      a
      Name
      for the Tunnel Source Zone.
    2. For
      Location
      , select the virtual system.
    3. For
      Type
      , select
      Tunnel
      .
    4. Click
      OK
      .
    5. Repeat these substeps to create the Tunnel Destination Zone.
    6. Configure a Security policy rule for the Tunnel Source Zone.
      Because you might not know the originator of the tunnel traffic or the direction of the traffic flow and you don’t want to inadvertently prohibit traffic for an application through the tunnel, specify both tunnel zones as the
      Source Zone
      and both tunnel zones as the
      Destination Zone
      in your Security policy rule, or select
      Any
      for both the source and destination zones; then specify the
      Applications
      .
    7. Configure a Security policy rule for the Tunnel Destination Zone. The tip in the previous step for configuring a Security policy rule for the Tunnel Source Zone applies to the Tunnel Destination Zone, as well.
  9. (
    Optional
    ) Specify the Tunnel Source Zone and Tunnel Destination Zone for the inner content.
    1. Specify the Tunnel Source Zone and Tunnel Destination Zone (that you just added) for the inner content. Select
      Policies
      Tunnel Inspection
      and on the
      General
      tab, select the
      Name
      of the tunnel inspection policy rule you created.
    2. Select
      Inspection
      .
    3. Select
      Security Options
      .
    4. Enable Security Options
      (disabled by default) to cause the inner content source to belong to the
      Tunnel Source Zone
      you specify and to cause the inner content destination to belong to the
      Tunnel Destination Zone
      you specify.
      If you don’t
      Enable Security Options
      , the inner content source belongs to the same source zone as the outer tunnel source and the inner content destination belongs to the same destination zone as the outer tunnel destination, which means they are subject to the same Security policy rules that apply to those outer zones.
    5. For
      Tunnel Source Zone
      , select the appropriate tunnel zone you created in the previous step so that the policies associated with that zone apply to the tunnel source zone. Otherwise, by default, the inner content will use the same source zone that is used in the outer tunnel and the policies of the outer tunnel source zone apply to the inner content source zone, as well.
    6. For
      Tunnel Destination Zone
      , select the appropriate tunnel zone you created in the previous step so that the policies associated with that zone apply to the tunnel destination zone. Otherwise, by default, the inner content will use the same destination zone that is used in the outer tunnel and the policies of the outer tunnel destination zone apply to the inner content destination zone, as well.
      If you configure a
      Tunnel Source Zone
      and
      Tunnel Destination Zone
      for the tunnel inspection policy rule, you should configure a specific
      Source Zone
      (in Step 3) and a specific
      Destination Zone
      (in Step 4) in the match criteria of the tunnel inspection policy rule, instead of specifying a
      Source Zone
      of
      Any
      and a
      Destination Zone
      of
      Any
      . This tip ensures the direction of zone reassignment corresponds appropriately to the parent zones.
      On a PA-5200 Series or PA-7080 firewall, if you use multicast underlay while inspecting VXLAN, the inner session would be duplicated on multiple dataplanes and a race condition could happen. To avoid the drop of some packets, the following requirements apply:
      • You must configure a separate tunnel content inspection rule to match outer VXLAN packets going to each VXLAN tunnel endpoint (VTEP).
      • In the separate rule, you assign a tunnel zone. Using a different tunnel zone would make the inner session different for each endpoint. The race condition would not happen, and no packet drop would be seen.
    7. Click
      OK
      .
  10. Set monitoring options for traffic that matches a tunnel inspection policy rule.
    1. Select
      Policies
      Tunnel Inspection
      and select the tunnel inspection policy rule you created.
    2. Select
      Inspection
      Monitor Options
      .
    3. Enter a
      Monitor Name
      to group similar traffic together for purposes of logging and reporting.
    4. Enter a
      Monitor Tag (number)
      to group similar traffic together for logging and reporting (range is 1 to 16,777,215). The tag number is globally defined.
      This field does not apply to the VXLAN protocol. VXLAN logs automatically use the VNI ID from the VXLAN header.
      If you tag tunnel traffic, you can later filter on the Monitor Tag in the tunnel inspection log and use the ACC to view tunnel activity based on Monitor Tag.
    5. Override Security Rule Log Setting
      to enable logging and log forwarding options for sessions that meet the selected tunnel inspection policy rule. If you don’t select this setting, tunnel log generation and log forwarding are determined by the log settings for the Security policy rule that applies to the tunnel traffic. You can override log forwarding settings in Security policy rules that control traffic logs by configuring tunnel inspection log settings to store tunnel logs separately from traffic logs. The tunnel inspection logs store the outer tunnel (GRE, non-encrypted IPSec, VXLAN, or GTP-U) sessions and the traffic logs store the inner traffic flows.
    6. Select
      Log at Session Start
      to log traffic at the start of a session.
      The best practice for Tunnel logs is to log both at session start and session end because tunnels can stay up for long periods of time. For example, GRE tunnels can come up when the router boots and never terminate until the router is rebooted. If you don’t log at session start, you will never see in the ACC that there is an active GRE tunnel.
    7. Select
      Log at Session End
      to log traffic at the end of a session.
    8. Select a
      Log Forwarding
      profile that determines where the firewall forwards tunnel logs for sessions that meet the tunnel inspection rule. Alternatively, you can create a new Log Forwarding profile if you Configure Log Forwarding.
    9. Click
      OK
      .
  11. (
    Optional, VXLAN Only
    )
    Configure a VXLAN ID (VNI)
    . By default, all VXLAN network interfaces (VNIs) are inspected. If you configure one or more VXLAN IDs, the policy inspects only those VNIs.
    Only the VXLAN protocol uses the Tunnel ID tab to specify the VNI.
    1. Select the
      Tunnel ID
      tab and click
      Add
      .
    2. Assign a
      Name
      . The name is a convenience, and is not a factor in logging, monitoring, or reporting.
    3. In the
      VXLAN ID (VNI)
      field, enter a single VNI, a comma-separated list of VNIs, a range of VNIs (with a hyphen as the separator), or a combination of these. For example, you can specify:
      1677002,1677003,1677011-1677038,1024
  12. (
    Optional
    ) If you enabled
    Rematch Sessions
    (
    Device
    Setup
    Session
    ), ensure the firewall doesn’t drop existing sessions when you create or revise a tunnel inspection policy by disabling
    Reject Non-SYN TCP
    for the zones that control your tunnel Security policy rules.
    The firewall displays the following warning when you:
    • Create a tunnel inspection policy rule.
    • Edit a tunnel inspection policy rule by adding a
      Protocol
      or by increasing the
      Maximum Tunnel Inspection Levels
      from
      One Level
      to
      Two Levels
      .
    • Enable Security Options
      in the
      Security Options
      tab by either adding new zones or changing one zone to another zone.
    Warning: Enabling tunnel inspection policies on existing tunnel sessions will cause existing TCP sessions inside the tunnel to be treated as non-syn-tcp flows. To ensure existing sessions are not dropped when the tunnel inspection policy is enabled, set the
    Reject Non-SYN TCP
    setting for the zone(s) to
    no
    using a Zone Protection profile and apply it to the zones that control the tunnel’s security policies. Once the existing sessions have been recognized by the firewall, you can re-enable the
    Reject Non-SYN TCP
    setting by setting it to
    yes
    or
    global
    .
    1. Select
      Network
      Network Profiles
      Zone Protection
      and
      Add
      a profile.
    2. Enter a
      Name
      for the profile.
    3. Select
      Packet Based Attack Protection
      TCP Drop
      .
    4. For
      Reject Non-SYN TCP
      , select
      no
      .
    5. Click
      OK
      .
    6. Select
      Network
      Zones
      and select the zone that controls your tunnel Security policy rules.
    7. For
      Zone Protection Profile
      , select the Zone Protection profile you just created.
    8. Click
      OK
      .
    9. Repeat the previous three substeps (12.f, 12.g, and 12.h) to apply the Zone Protection profile to additional zones that control your tunnel Security policy rules.
    10. After the firewall has recognized the existing sessions, you can re-enable
      Reject Non-SYN TCP
      by setting it to
      yes
      or
      global
      .
  13. (
    Optional
    ) Limit fragmentation of traffic in a tunnel.
    1. Select
      Network
      Network Profiles
      Zone Protection
      and
      Add
      a profile by
      Name
      .
    2. Enter a
      Description
      .
    3. Select
      Packet Based Attack Protection
      IP Drop
      Fragmented traffic
      .
    4. Click
      OK
      .
    5. Select
      Network
      Zones
      and select the tunnel zone where you want to limit fragmentation.
    6. For
      Zone Protection Profile
      , select the profile you just created to apply the Zone Protection profile to the tunnel zone.
    7. Click
      OK
      .
  14. Commit
    your changes.

Related Documentation