VXLAN Tunnel Content Inspection
Configure tunnel content inspection to scan traffic within a VXLAN tunnel.
Tunnel Content Inspection (TCI) now supports the VXLAN inspection protocol. Without terminating the VXLAN tunnel, you can natively scan individual flows within the tunnel, and control them using security policy rules. You can create a tunnel inspection rule using the VXLAN protocol and specify the VXLAN IDs for the flow(s) you want to inspect. The Tunnel ID is a VXLAN Network Identifier (VNI) within the VXLAN packet.
VXLAN TCI is supported for physical and virtual firewalls in VXLAN overlay networks, which can include public or private clouds, and containers.
VXLAN is widely used to encapsulate traffic going over Layer 3 to and from the firewall. For example, you can use VXLAN as a transport overlay to tunnel between geographically dispersed data centers, as shown below.
The following procedure highlights VXLAN elements for tunnel content inspection configuration.
- Create a Security policy rule to allow VXLAN traffic for a specific application to travel from the source zone to the tunnel destination zone.
- Create a tunnel inspection policy rule.
- Select General and Add a policy rule, entering the Name, and the Source and Destination zones and IP addresses.
- Select InspectionAdd and select the VXLAN tunnel
protocol and other protocols that apply (GRE, GTP-U, or Non-encrypted
IPSec). With the VXLAN protocol, the firewall inspects a VXLAN payload
to find the encapsulated content or applications within the tunnel.
Inspection only occurs on the outer tunnel.
- Select Inspect Options.
- Set the Maximum Tunnel Inspection Levels value to One Level (the default, and the only valid choice for VXLAN).
- Choose the condition under which the firewall drops a packet, and if appropriate, choose to return it to the original source.Optional—When traffic is redirected to the firewall, VXLAN encapsulates the packet. Enable Return scanned VXLAN tunnel to source to return the encapsulated packet to the originating VXLAN tunnel endpoint (VTEP). This option is only supported on Layer 3, Layer 3 subinterface, aggregate interface Layer 3, and VLAN.
- Enter a Monitor Tag (number) to group similar traffic together for logging and reporting (range is 1 to 16,777,215). The tag number is globally defined.The Monitor Tag field does not apply to the VXLAN protocol. VXLAN logs automatically use the VNI from the VXLAN header.
- (Optional) To inspect all VNIs, skip this
step. To limit the VNIs you inspect, you can assign VXLAN IDs. Select Tunnel
ID and add a name and assign VXLAN (VNI) value(s).
- Assign a Name. The name is a convenience, and is not a factor in logging, monitoring, or reporting.
- In the VXLAN ID (VNI) column, enter a single VNI, a comma-separated list of VNIs, a range of up to 16 million VNIs (with a hyphen as the separator), or a combination of these. For example: 1-54,1024,1677011-1677038,94The maximum VXLAN IDs per policy is 4,096. To preserve configuration memory, use ranges where possible.
- Click OK.
- Manage tunnel inspection policy rules as described in Configure Tunnel Content Inspection (delete, clone, enable, etcetera).
- Commit your changes.
- View tunnel inspection logs. During VXLAN logging,
the tunnel ID is the VXLAN ID (VNI) extracted from the VXLAN packet.
The tunnel inspection rule match determines whether a Tunnel Inspection
log or a Traffic log is produced.If the VXLAN traffic matches the tunnel inspection rule, the VNI session is logged in the Tunnel Inspection log, and inner sessions are logged in Traffic logs. In the inner session, the Tunnel Inspected flag indicates a VNI session traffic log. The Parent Session is the session that was active when the inner session was created, so the ID might not match the current Session ID. If the VXLAN traffic does not match the tunnel inspection rule, VNI sessions are logged in Traffic logs.
Building Blocks in a Tunnel Inspection Policy
Building Blocks in a Tunnel Inspection Policy Select Policies Tunnel Inspection to add a Tunnel Inspection policy rule. You can use the firewall to inspect ...
Configure Tunnel Content Inspection
Configure Tunnel Content Inspection Perform this task to configure tunnel content inspection for a tunnel protocol that you allow through a tunnel. Create a Security ...
Tunnel Content Inspection Overview
Tunnel Content Inspection Overview Your firewall can inspect tunnel content anywhere on the network where you do not have the opportunity to terminate the tunnel ...
View Tunnel Information in Logs
View Tunnel Information in Logs You can view Tunnel Inspection logs themselves or view tunnel inspection information in other types of logs. GRE, Non-Encrypted IPSec, ...
Policies > Tunnel Inspection
Policies > Tunnel Inspection You can configure the firewall to inspect the traffic content of the following cleartext tunnel protocols: Generic Routing Encapsulation (GRE) General ...
Tunnel Content Inspection
Tunnel Content Inspection The firewall can inspect the traffic content of cleartext tunnel protocols without terminating the tunnel: Generic Routing Encapsulation (GRE) ( RFC 2784 ...