Policies > Tunnel Inspection
You can configure the firewall to inspect the traffic content of the following cleartext tunnel protocols:
- Generic Routing Encapsulation (GRE)
- General Packet Radio Service (GPRS) Tunneling Protocol for User Data (GTP-U); supported only on firewalls that support GTP.
- Non-encrypted IPSec traffic (NULL Encryption Algorithm for IPSec and transport mode AH IPSec)
- Virtual Extensible LAN (VXLAN)
You can use tunnel content inspection to enforce Security, DoS Protection, and QoS policies on traffic in these types of tunnels and on traffic nested within another cleartext tunnel (for example, Null Encrypted IPSec inside a GRE tunnel).
Create a Tunnel Inspection policy that, when matching an incoming packet, determines which tunnel protocols in the packet the firewall will inspect and that specifies the conditions under which the firewall drops or continues to process the packet. You can view tunnel inspection logs and tunnel activity in the ACC to verify that tunneled traffic complies with your corporate security and usage policies.
The firewall supports tunnel content inspection on Ethernet interfaces and subinterfaces, AE interfaces, VLAN interfaces, and VPN and LSVPN tunnels. The feature is supported in Layer 3, Layer 2, virtual wire, and tap deployments. Tunnel content inspection works on shared gateways and on virtual system-to-virtual system communications.
What do you want to know?
What are the fields available to create a Tunnel Inspection policy?
How can I view tunnel inspection logs?
Looking for more?
Tunnel Content Inspection
Tunnel Content Inspection The firewall can inspect the traffic content of cleartext tunnel protocols without terminating the tunnel: Generic Routing Encapsulation (GRE) ( RFC 2784 ...
Tunnel Content Inspection Overview
Tunnel Content Inspection Overview Your firewall can inspect tunnel content anywhere on the network where you do not have the opportunity to terminate the tunnel ...
Building Blocks in a Tunnel Inspection Policy
Building Blocks in a Tunnel Inspection Policy Select Policies Tunnel Inspection to add a Tunnel Inspection policy rule. You can use the firewall to inspect ...
Configure Tunnel Content Inspection
Configure Tunnel Content Inspection Perform this task to configure tunnel content inspection for a tunnel protocol that you allow through a tunnel. Create a Security ...
VXLAN Tunnel Content Inspection
Configure tunnel content inspection to scan traffic within a VXLAN tunnel. ...
View Tunnel Information in Logs
View Tunnel Information in Logs You can view Tunnel Inspection logs themselves or view tunnel inspection information in other types of logs. GRE, Non-Encrypted IPSec, ...
Tunnel Inspection Log Fields
Tunnel Inspection Log Fields Format : FUTURE_USE, Receive Time, Serial Number, Type, Subtype, FUTURE_USE, Generated Time, Source Address, Destination Address, NAT Source IP, NAT Destination ...
Objects > Security Profiles > GTP Protection
Objects > Security Profiles > GTP Protection The GTP Protection profile enables the firewall to inspect GTP traffic. To view this profile, you must enable ...