A Generic Routing Encapsulation (GRE) tunnel connects
two endpoints in a point-to-point, logical link.
A Generic Routing Encapsulation (GRE) tunnel
connects two endpoints (a firewall and another appliance) in a point-to-point,
logical link. The firewall can terminate GRE tunnels; you can route
or forward packets to a GRE tunnel. GRE tunnels are simple to use
and often the tunneling protocol of choice for point-to-point connectivity, especially
to services in the cloud or to partner networks.
Create a GRE tunnel when
you want to direct packets that are destined for an IP address to
take a certain point-to-point path, for example to a cloud-based
proxy or to a partner network. The packets travel through the GRE
tunnel (over a transit network such as the internet) to the cloud
service while on their way to the destination address. This enables
the cloud service to enforce its services or policies on the packets.
The following figure is an example of a GRE tunnel connecting
the firewall across the internet to a cloud service.
For better performance and to avoid single points of failure,
split multiple connections to the firewall among multiple GRE tunnels
rather than use a single tunnel. Each GRE tunnel needs a tunnel
interface.
When the firewall allows a packet to pass (based on a policy
match) and the packet egresses to a GRE tunnel interface, the firewall
adds GRE encapsulation; it doesn’t generate a session. The firewall
does not perform a Security policy rule lookup for the GRE-encapsulated
traffic, so you don’t need a Security policy rule for the GRE traffic that the firewall
encapsulates. However, when the firewall receives GRE traffic, it
generates a session and applies all policies to the GRE IP header
in addition to the encapsulated traffic. The firewall treats the
received GRE packet like any other packet. Therefore:
If the firewall receives the GRE packet on an interface
that has the same zone as the tunnel interface associated with the
GRE tunnel (for example, tunnel.1), the source zone is the same
as the destination zone. By default, traffic is allowed within a
zone (intrazone traffic), so the ingress GRE traffic is allowed
by default.
However, if you configured your own intrazone Security policy
rule to deny such traffic, you must explicitly allow GRE traffic.
Likewise, if the zone of the tunnel interface associated with
the GRE tunnel (for example, tunnel.1) is a different zone from
that of the ingress interface, you must configure a Security policy
rule to allow the GRE traffic.
Because the firewall encapsulates the tunneled packet in a GRE
packet, the additional 24 bytes of GRE header automatically result
in a smaller Maximum Segment Size (MSS) in the
maximum transmission unit (MTU). If you don’t change the IPv4 MSS
Adjustment Size for the interface, the firewall reduces the MTU
by 64 bytes by default (40 bytes of IP header + 24 bytes of GRE
header). This means if the default MTU is 1,500 bytes, the MSS will
be 1,436 bytes (1,500 - 40 - 24 = 1,436). If you configure an MSS
Adjustment Size of 300 bytes, for example, the MSS will be only 1,176
bytes (1,500 - 300 - 24 = 1,176).
The firewall does not support routing a GRE or IPSec tunnel to
a GRE tunnel, but you can route a GRE tunnel to an IPSec tunnel.
Additionally:
A GRE tunnel does not support QoS.
The firewall does not support a single interface acting as
both a GRE tunnel endpoint and a decryption broker.
GRE tunneling does not support NAT between GRE tunnel endpoints.
If you need to connect to another vendor’s network, we
recommend you Set Up an IPSec Tunnel, not a GRE
tunnel; you should use a GRE tunnel only if that is the only point-to-point
tunnel mechanism that the vendor supports. You can also enable GRE
over IPSec if the remote endpoint requires that (Add GRE
Encapsulation). Add GRE encapsulation in cases where
the remote endpoint requires traffic to be encapsulated within a
GRE tunnel before IPSec encrypts the traffic. For example, some
implementations require multicast traffic to be encapsulated before
IPSec encrypts it. If this is a requirement for your environment
and the GRE tunnel and IPSec tunnel share the same IP address, Add
GRE Encapsulation when you set up the IPSec tunnel.
If you aren’t planning to terminate a GRE
tunnel on the firewall, but you want the ability to inspect and
control traffic passing through the firewall inside a GRE tunnel,
don’t create a GRE tunnel. Instead, perform Tunnel Content Inspection of GRE
traffic. With tunnel content inspection, you are inspecting and enforcing
policy on GRE traffic passing through the firewall, not creating
a point-to-point, logical link for the purpose of directing traffic.