VXLAN Tunnel Content Inspection

Tunnel content inspection (TCI) now supports the VXLAN inspection protocol. Without terminating the VXLAN tunnel, you can natively scan individual flows within the tunnel and control them using Security policy rules. You can create a tunnel inspection rule using the VXLAN protocol and specify the VXLAN IDs for the flows you want to inspect. The Tunnel ID is a VXLAN Network Identifier (VNI) within the VXLAN packet.

VXLAN TCI is supported for physical and virtual firewalls in VXLAN overlay networks, which can include containers and public or private clouds.

VXLAN is widely used to encapsulate Layer 3 traffic both to and from the firewall. For example, you can use VXLAN as a transport overlay to tunnel between geographically dispersed data centers as shown below.

The following procedure highlights VXLAN elements for tunnel content inspection configuration.

Create a Security policy rule to allow VXLAN traffic for a specific application to travel from the source zone to the tunnel destination zone.

Create a tunnel inspection policy rule.

Select
Policies
Tunnel Inspection
General
and
Add
a policy rule. Enter the
Name
of the rule, and then enter the
Source
and
Destination
zones and IP addresses for the rule.
Select
Inspection
Add
and select the VXLAN tunnel protocol and other protocols that apply (GRE, GTP-U, or Non-encrypted IPSec). With the VXLAN protocol, the firewall inspects a VXLAN payload to find the encapsulated content or applications within the tunnel. Inspection only occurs on the outer tunnel.
Select
Inspect Options
:
Set the
Maximum Tunnel Inspection Levels
to
One Level
(default setting, the only valid choice for VXLAN).
Choose the condition under which the firewall drops a packet and, if appropriate, choose to return the packet to the original source.
When traffic is redirected to the firewall, VXLAN encapsulates the packet. Enable
Return scanned VXLAN tunnel to source
to return the encapsulated packet to the originating VXLAN tunnel endpoint (VTEP). This option is supported only on Layer 3, Layer 3 subinterface, aggregate interface Layer 3, and VLAN.
Specify a
Monitor Tag (number)
to group similar traffic together for logging and reporting (range is 1 to 16,777,215). The tag number is globally defined.
The
Monitor Tag
field does not apply to the VXLAN protocol. VXLAN logs automatically use the VNI from the VXLAN header.
(
Optional
) To inspect all VNIs, skip this step. To limit the VNIs you inspect, you can assign VXLAN IDs. Select
Tunnel ID
, and add a name, and assign VXLAN (VNI) values.
Assign a

Name

. The

name

is a convenience, and is not a factor in logging, monitoring, or reporting.

In the

VXLAN ID (VNI)

column, enter a single VNI, a comma-separated list of VNIs, a range of up to 16 million VNIs (using a hyphen as the separator), or a combination of these. For example: 1-54,1024,1677011-1677038,94

The maximum VXLAN IDs per policy is 4,096. To preserve configuration memory, use ranges where possible.


Click
OK
.

Manage tunnel inspection policy rules as described in Configure Tunnel Content Inspection (such as delete, clone, enable, etcetera).

Commit

your changes.

View tunnel inspection logs.

During VXLAN logging, the tunnel ID is the VXLAN ID (VNI) extracted from the VXLAN packet. The tunnel inspection rule match determines whether a Tunnel Inspection log or a Traffic log is produced.

If the VXLAN traffic matches the tunnel inspection rule, the VNI session is logged in the Tunnel Inspection log and the inner sessions are logged in Traffic logs. In the inner session, the Tunnel Inspected flag indicates a VNI session traffic log. The Parent Session is the session that was active when the inner session was created so the ID might not match the current Session ID. If the VXLAN traffic does not match the tunnel inspection rule, VNI sessions are logged in Traffic logs.