VXLAN Tunnel Content Inspection

Configure tunnel content inspection to scan traffic within a VXLAN tunnel.
Tunnel content inspection (TCI) now supports the VXLAN inspection protocol. Without terminating the VXLAN tunnel, you can natively scan individual flows within the tunnel and control them using Security policy rules. You can create a tunnel inspection rule using the VXLAN protocol and specify the VXLAN IDs for the flows you want to inspect. The Tunnel ID is a VXLAN Network Identifier (VNI) within the VXLAN packet.
VXLAN TCI is supported for physical and virtual firewalls in VXLAN overlay networks, which can include containers and public or private clouds.
VXLAN is widely used to encapsulate Layer 3 traffic both to and from the firewall. For example, you can use VXLAN as a transport overlay to tunnel between geographically dispersed data centers as shown below.
tci_vxlan.png
The following procedure highlights VXLAN elements for tunnel content inspection configuration.
  1. Create a Security policy rule to allow VXLAN traffic for a specific application to travel from the source zone to the tunnel destination zone.
    1. Select
      Policies
      Tunnel Inspection
      General
      and
      Add
      a policy rule. Enter the
      Name
      of the rule, and then enter the
      Source
      and
      Destination
      zones and IP addresses for the rule.
    2. Select
      Inspection
      Add
      and select the VXLAN tunnel protocol and other protocols that apply (GRE, GTP-U, or Non-encrypted IPSec). With the VXLAN protocol, the firewall inspects a VXLAN payload to find the encapsulated content or applications within the tunnel. Inspection only occurs on the outer tunnel.
      • Select
        Inspect Options
        :
        • Set the
          Maximum Tunnel Inspection Levels
          to
          One Level
          (default setting, the only valid choice for VXLAN).
        • Choose the condition under which the firewall drops a packet and, if appropriate, choose to return the packet to the original source.
          When traffic is redirected to the firewall, VXLAN encapsulates the packet. Enable
          Return scanned VXLAN tunnel to source
          to return the encapsulated packet to the originating VXLAN tunnel endpoint (VTEP). This option is supported only on Layer 3, Layer 3 subinterface, aggregate interface Layer 3, and VLAN.
      • Specify a
        Monitor Tag (number)
        to group similar traffic together for logging and reporting (range is 1 to 16,777,215). The tag number is globally defined.
        The
        Monitor Tag
        field does not apply to the VXLAN protocol. VXLAN logs automatically use the VNI from the VXLAN header.
    3. (
      Optional
      ) To inspect all VNIs, skip this step. To limit the VNIs you inspect, you can assign VXLAN IDs. Select
      Tunnel ID
      , and add a name, and assign VXLAN (VNI) values.
      1. Assign a
        Name
        . The
        name
        is a convenience, and is not a factor in logging, monitoring, or reporting.
      2. In the
        VXLAN ID (VNI)
        column, enter a single VNI, a comma-separated list of VNIs, a range of up to 16 million VNIs (using a hyphen as the separator), or a combination of these. For example: 1-54,1024,1677011-1677038,94
        The maximum VXLAN IDs per policy is 4,096. To preserve configuration memory, use ranges where possible.
        tci_vni.png
    4. Click
      OK
      .
  2. Manage tunnel inspection policy rules as described in Configure Tunnel Content Inspection (such as delete, clone, enable, etcetera).
  3. Commit
    your changes.
  4. View tunnel inspection logs.
    During VXLAN logging, the tunnel ID is the VXLAN ID (VNI) extracted from the VXLAN packet. The tunnel inspection rule match determines whether a Tunnel Inspection log or a Traffic log is produced.
    If the VXLAN traffic matches the tunnel inspection rule, the VNI session is logged in the Tunnel Inspection log and the inner sessions are logged in Traffic logs. In the inner session, the Tunnel Inspected flag indicates a VNI session traffic log. The Parent Session is the session that was active when the inner session was created so the ID might not match the current Session ID. If the VXLAN traffic does not match the tunnel inspection rule, VNI sessions are logged in Traffic logs.
    tci_vxlan_logs_combined.png

Related Documentation