VXLAN Tunnel Content Inspection
Configure tunnel content inspection to scan traffic within a VXLAN tunnel.
Tunnel content inspection (TCI) now supports the VXLAN inspection protocol. Without terminating the VXLAN tunnel, you can natively scan individual flows within the tunnel and control them using Security policy rules. You can create a tunnel inspection rule using the VXLAN protocol and specify the VXLAN IDs for the flows you want to inspect. The Tunnel ID is a VXLAN Network Identifier (VNI) within the VXLAN packet.
VXLAN TCI is supported for physical and virtual firewalls in VXLAN overlay networks, which can include containers and public or private clouds.
VXLAN is widely used to encapsulate Layer 3 traffic both to and from the firewall. For example, you can use VXLAN as a transport overlay to tunnel between geographically dispersed data centers as shown below.
The following procedure highlights VXLAN elements for tunnel content inspection configuration.
- Create a Security policy rule to allow VXLAN traffic for a specific application to travel from the source zone to the tunnel destination zone.
- Create a tunnel inspection policy rule.
- SelectandPoliciesTunnel InspectionGeneralAdda policy rule. Enter theNameof the rule, and then enter theSourceandDestinationzones and IP addresses for the rule.
- Selectand select the VXLAN tunnel protocol and other protocols that apply (GRE, GTP-U, or Non-encrypted IPSec). With the VXLAN protocol, the firewall inspects a VXLAN payload to find the encapsulated content or applications within the tunnel. Inspection only occurs on the outer tunnel.InspectionAdd
- SelectInspect Options:
- Set theMaximum Tunnel Inspection LevelstoOne Level(default setting, the only valid choice for VXLAN).
- Choose the condition under which the firewall drops a packet and, if appropriate, choose to return the packet to the original source.When traffic is redirected to the firewall, VXLAN encapsulates the packet. EnableReturn scanned VXLAN tunnel to sourceto return the encapsulated packet to the originating VXLAN tunnel endpoint (VTEP). This option is supported only on Layer 3, Layer 3 subinterface, aggregate interface Layer 3, and VLAN.
- Specify aMonitor Tag (number)to group similar traffic together for logging and reporting (range is 1 to 16,777,215). The tag number is globally defined.TheMonitor Tagfield does not apply to the VXLAN protocol. VXLAN logs automatically use the VNI from the VXLAN header.
- (Optional) To inspect all VNIs, skip this step. To limit the VNIs you inspect, you can assign VXLAN IDs. SelectTunnel ID, and add a name, and assign VXLAN (VNI) values.
- Assign aName. Thenameis a convenience, and is not a factor in logging, monitoring, or reporting.
- In theVXLAN ID (VNI)column, enter a single VNI, a comma-separated list of VNIs, a range of up to 16 million VNIs (using a hyphen as the separator), or a combination of these. For example: 1-54,1024,1677011-1677038,94The maximum VXLAN IDs per policy is 4,096. To preserve configuration memory, use ranges where possible.
- Manage tunnel inspection policy rules as described in Configure Tunnel Content Inspection (such as delete, clone, enable, etcetera).
- Commityour changes.
- View tunnel inspection logs.During VXLAN logging, the tunnel ID is the VXLAN ID (VNI) extracted from the VXLAN packet. The tunnel inspection rule match determines whether a Tunnel Inspection log or a Traffic log is produced.If the VXLAN traffic matches the tunnel inspection rule, the VNI session is logged in the Tunnel Inspection log and the inner sessions are logged in Traffic logs. In the inner session, the Tunnel Inspected flag indicates a VNI session traffic log. The Parent Session is the session that was active when the inner session was created so the ID might not match the current Session ID. If the VXLAN traffic does not match the tunnel inspection rule, VNI sessions are logged in Traffic logs.