VXLAN Tunnel Content Inspection

Configure tunnel content inspection to scan traffic within a VXLAN tunnel.
Tunnel Content Inspection (TCI) now supports the VXLAN inspection protocol. Without terminating the VXLAN tunnel, you can natively scan individual flows within the tunnel, and control them using security policy rules. You can create a tunnel inspection rule using the VXLAN protocol and specify the VXLAN IDs for the flow(s) you want to inspect. The Tunnel ID is a VXLAN Network Identifier (VNI) within the VXLAN packet.
VXLAN TCI is supported for physical and virtual firewalls in VXLAN overlay networks, which can include public or private clouds, and containers.
VXLAN is widely used to encapsulate traffic going over Layer 3 to and from the firewall. For example, you can use VXLAN as a transport overlay to tunnel between geographically dispersed data centers, as shown below.
The following procedure highlights VXLAN elements for tunnel content inspection configuration.
  1. Create a Security policy rule to allow VXLAN traffic for a specific application to travel from the source zone to the tunnel destination zone.
  2. Create a tunnel inspection policy rule.
    1. Select General and Add a policy rule, entering the Name, and the Source and Destination zones and IP addresses.
    2. Select InspectionAdd and select the VXLAN tunnel protocol and other protocols that apply (GRE, GTP-U, or Non-encrypted IPSec). With the VXLAN protocol, the firewall inspects a VXLAN payload to find the encapsulated content or applications within the tunnel. Inspection only occurs on the outer tunnel.
      • Select Inspect Options.
        • Set the Maximum Tunnel Inspection Levels value to One Level (the default, and the only valid choice for VXLAN).
        • Choose the condition under which the firewall drops a packet, and if appropriate, choose to return it to the original source.
          Optional—When traffic is redirected to the firewall, VXLAN encapsulates the packet. Enable Return scanned VXLAN tunnel to source to return the encapsulated packet to the originating VXLAN tunnel endpoint (VTEP). This option is only supported on Layer 3, Layer 3 subinterface, aggregate interface Layer 3, and VLAN.
      • Enter a Monitor Tag (number) to group similar traffic together for logging and reporting (range is 1 to 16,777,215). The tag number is globally defined.
        The Monitor Tag field does not apply to the VXLAN protocol. VXLAN logs automatically use the VNI from the VXLAN header.
    3. (Optional) To inspect all VNIs, skip this step. To limit the VNIs you inspect, you can assign VXLAN IDs. Select Tunnel ID and add a name and assign VXLAN (VNI) value(s).
      1. Assign a Name. The name is a convenience, and is not a factor in logging, monitoring, or reporting.
      2. In the VXLAN ID (VNI) column, enter a single VNI, a comma-separated list of VNIs, a range of up to 16 million VNIs (with a hyphen as the separator), or a combination of these. For example: 1-54,1024,1677011-1677038,94
        The maximum VXLAN IDs per policy is 4,096. To preserve configuration memory, use ranges where possible.
    4. Click OK.
  3. Manage tunnel inspection policy rules as described in Configure Tunnel Content Inspection (delete, clone, enable, etcetera).
  4. Commit your changes.
  5. View tunnel inspection logs. During VXLAN logging, the tunnel ID is the VXLAN ID (VNI) extracted from the VXLAN packet. The tunnel inspection rule match determines whether a Tunnel Inspection log or a Traffic log is produced.
    If the VXLAN traffic matches the tunnel inspection rule, the VNI session is logged in the Tunnel Inspection log, and inner sessions are logged in Traffic logs. In the inner session, the Tunnel Inspected flag indicates a VNI session traffic log. The Parent Session is the session that was active when the inner session was created, so the ID might not match the current Session ID. If the VXLAN traffic does not match the tunnel inspection rule, VNI sessions are logged in Traffic logs.

Related Documentation