View Tunnel Information in Logs
You can view Tunnel Inspection logs themselves or view tunnel inspection information in other types of logs.
GRE, Non-Encrypted IPSec, and GTP-U Protocols
- When there is a TCI traffic rule match, GRE, IPSec, and GTP-U protocols are logged in the Tunnel Inspection log with the Tunnel log type, the matched protocol, and the configured Monitor name and Monitor tag (number).
- When there is no TCI rule match, all protocols are logged under Traffic logs.
- When there is a TCI traffic rule match, VXLAN protocol is logged in the Tunnel Inspection log with the Tunnel (VXLAN) log type, the configured Monitor name, and the Tunnel ID (VNI).In the Traffic log for the inner session, the Tunnel Inspected flag indicates a VNI session. The Parent Session is the session that was active when the inner session was created so the ID might not match the current Session ID.
- When there is no TCI rule match, VNI sessions are logged in Traffic logs with the UDP protocol, source port 0, and destination port 4789 (the default).
- View Tunnel inspection logs.
- Select MonitorLogsTunnel Inspection and view the log data to identify the tunnel Applications used in your traffic and any concerns, such as high counts for packets failing Strict Checking of headers.
- Click the Detailed Log View ( ) to see details about a log.
- View other logs for tunnel inspection information.
- Select MonitorLogs.
- Select Traffic, Threat, URL Filtering, WildFire Submissions, Data Filtering, or Unified.
- For a log entry, click the Detailed Log View ( ).
- In the Flags window, see if the Tunnel
Inspected flag is checked. A Tunnel Inspected flag indicates
the firewall used a Tunnel Inspection policy rule to inspect the
inside content or inner tunnel. Parent Session information refers
to an outer tunnel (relative to an inner tunnel) or an inner tunnel
(relative to inside content).On the Traffic, Threat, URL Filtering, WildFire Submissions, Data Filtering logs, only direct parent information appears in the Detailed Log View of the inner session log, no tunnel log information. If you configured two levels of tunnel inspection, you can select the parent session of this direct parent to view the second parent log. (You must monitor the Tunnel Inspection log as shown in the prior step to view tunnel log information.)
- If you are viewing the log for an inside session that is Tunnel Inspected, click the View Parent Session link in the General section to see the outside session information.
VXLAN Tunnel Content Inspection
Configure tunnel content inspection to scan traffic within a VXLAN tunnel. ...
Tunnel Content Inspection Overview
Tunnel Content Inspection Overview Your firewall can inspect tunnel content anywhere on the network where you do not have the opportunity to terminate the tunnel ...
Building Blocks in a Tunnel Inspection Policy
Building Blocks in a Tunnel Inspection Policy Select Policies Tunnel Inspection to add a Tunnel Inspection policy rule. You can use the firewall to inspect ...
Configure Tunnel Content Inspection
Configure Tunnel Content Inspection Perform this task to configure tunnel content inspection for a tunnel protocol that you allow through a tunnel. Create a Security ...
Tunnel Inspection Logs
Tunnel Inspection Logs Tunnel inspection logs are like traffic logs for tunnel sessions; they display entries of non-encrypted tunnel sessions. To prevent double counting, the ...
Tunnel Content Inspection
Tunnel Content Inspection The firewall can inspect the traffic content of cleartext tunnel protocols without terminating the tunnel: Generic Routing Encapsulation (GRE) ( RFC 2784 ...
Tunnel Inspection Log Fields
Tunnel Inspection Log Fields Format : FUTURE_USE, Receive Time, Serial Number, Type, Subtype, FUTURE_USE, Generated Time, Source Address, Destination Address, NAT Source IP, NAT Destination ...
Policies > Tunnel Inspection
Policies > Tunnel Inspection You can configure the firewall to inspect the traffic content of the following cleartext tunnel protocols: Generic Routing Encapsulation (GRE) General ...