Configure Tunnel Content Inspection

1. Create a Security policy rule to allow packets that use a specific application (such as the GRE application) through the tunnel from the source zone to the destination zone.
   Create a Security policy rule

   The firewall can create tunnel inspection logs at the start of a session, at the end of a session, or both. When you specify Actions for the Security policy rule, select Log at Session Start for long-lived tunnel sessions, such as GRE sessions.
2. Create a tunnel inspection policy rule.
   1. Select PoliciesTunnel Inspection and Add a policy rule.
   2. On the General tab, enter a tunnel inspection policy rule Name, beginning with an alphanumeric character and containing zero or more alphanumeric, underscore, hyphen, period, and space characters.
   3. (Optional) Enter a Description.
   4. (Optional) For reporting and logging purposes, specify a Tag that identifies the packets that are subject to the Tunnel Inspection policy rule.
3. Specify the criteria that determine the source of packets to which the tunnel inspection policy rule applies.
   1. Select the Source tab.
   2. Add a Source Zone from the list of zones (default is Any).
   3. (Optional) Add a Source Address. You can enter an IPv4 or IPv6 address, an address group, or a Geo Region address object (Any).
   4. (Optional) Select Negate to choose any addresses except those you specify.
   5. (Optional) Add a Source User (default is any). Known-user is a user who has authenticated; an Unknown user has not authenticated.
4. Specify the criteria that determine the destination of packets to which the tunnel inspection policy rule applies.
   1. Select the Destination tab.
   2. Add a Destination Zone from the list of zones (default is Any).
   3. (Optional) Add a Destination Address. You can enter an IPv4 or IPv6 address, an address group, or a Geo Region address object (default is Any).
      You can also configure a new address or address group.
   4. (Optional) Select Negate to choose any addresses except those you specify.
5. Specify the tunnel protocols that the firewall will inspect for this rule.
   1. Select the Inspection tab.
   2. Add one or more tunnel Protocols that you want the firewall to inspect:
      • GRE—Firewall inspects packets that use Generic Route Encapsulation (GRE) in the tunnel.
      • GTP-U—Firewall inspects packets that use General Packet Radio Service (GPRS) Tunneling Protocol for User Data (GTP-U) in the tunnel.
      • Non-encrypted IPSec—Firewall inspects packets that use non-encrypted IPSec (Null Encrypted IPSec or transport mode AH IPSec) in the tunnel.
      • VXLAN—Firewall inspects packets that use the Virtual Extensible Local Area Network (VXLAN) tunneling protocol in the tunnel.
6. Specify how many levels of encapsulation the firewall inspects and the conditions under which the firewall drops a packet.
   1. Select Inspect Options.
   2. Select the Maximum Tunnel Inspection Levels that the firewall will inspect:
      • One Level (default)—Firewall inspects content that is in the outer tunnel only.
        For VXLAN, the firewall inspects a VXLAN payload to find the encapsulated content or applications within the tunnel. You must select One Level because VXLAN inspection only occurs on the outer tunnel.
      • Two Levels (Tunnel In Tunnel)—Firewall inspects content that is in the outer tunnel and content that is in the inner tunnel.
   3. Select any, all, or none of the following to specify whether the firewall drops a packet under each condition:
      • Drop packet if over maximum tunnel inspection level—Firewall drops a packet that contains more levels of encapsulation than are configured for Maximum Tunnel Inspection Levels.
      • Drop packet if tunnel protocol fails strict header check—Firewall drops a packet that contains a tunnel protocol that uses a header that is non-compliant with the RFC for the protocol. Non-compliant headers can indicate suspicious packets. This option causes the firewall to verify GRE headers against RFC 2890.
        If your firewall is tunneling GRE with a device that implements a version of GRE older than RFC 2890, you should not enable the option to Drop packet if tunnel protocol fails strict header check.
      • Drop packet if unknown protocol inside tunnel—Firewall drops a packet that contains a protocol inside the tunnel that the firewall can’t identify.
        For example, if this option is selected, the firewall drops encrypted IPSec packets that match the tunnel inspection policy rule because the firewall can’t read them. Thus, you can allow IPSec packets and the firewall will allow only null-encrypted IPSec and AH IPSec packets.
      • Return scanned VXLAN tunnel to source—When traffic is redirected (steered) to the firewall, VXLAN encapsulates the packet. Traffic steering is most common in public cloud environments. Enable Return scanned VXLAN tunnel to source to return the encapsulated packet to the originating VXLAN tunnel endpoint (VTEP). This option is only supported on Layer 3, Layer 3 subinterface, aggregate interface Layer 3, and VLAN.
   4. Click OK.
7. Manage tunnel inspection policy rules.
   Use the following to manage tunnel inspection policy rules:

   • (Filter field)—Displays only the tunnel policy rules named in the filter field.
   • Delete—Removes selected tunnel policy rules.
   • Clone—An alternative to the Add button; duplicates the selected rule with a new name, which you can then revise.
   • Enable—Enables the selected tunnel policy rules.
   • Disable—Disables the selected tunnel policy rules.
   • Move—Moves the selected tunnel policy rules up or down in the list; packets are evaluated against the rules in order from the top down.
   • Highlight Unused Rules—Highlights tunnel policy rules that no packets have matched since the last time the firewall was restarted.
8. (Optional) Create a tunnel source zone and tunnel destination zone for tunnel content and configure a Security policy rule for each zone.
   The best practice is to create tunnel zones for your tunnel traffic. Thus, the firewall creates separate sessions for tunneled and non-tunneled packets that have the same five-tuple (source IP address and port, destination IP address and port, and protocol).

   Assigning tunnel zones to tunnel traffic on a PA-5200 Series firewall causes the firewall to do tunnel inspection in software; tunnel inspection is not offloaded to hardware.
   1. If you want tunnel content to be subject to Security policy rules that are different from the Security policy rules for the zone of the outer tunnel (configured earlier), select NetworkZones and Add a Name for the Tunnel Source Zone.
   2. For Location, select the virtual system.
   3. For Type, select Tunnel.
   4. Click OK.
   5. Repeat these substeps to create the Tunnel Destination Zone.
   6. Configure a Security policy rule for the Tunnel Source Zone.
      Because you might not know the originator of the tunnel traffic or the direction of the traffic flow and you don’t want to inadvertently prohibit traffic for an application through the tunnel, specify both tunnel zones as the Source Zone and both tunnel zones as the Destination Zone in your Security policy rule, or select Any for both the source and destination zones; then specify the Applications.
   7. Configure a Security policy rule for the Tunnel Destination Zone. The tip in the previous step for configuring a Security policy rule for the Tunnel Source Zone applies to the Tunnel Destination Zone, as well.
9. (Optional) Specify the Tunnel Source Zone and Tunnel Destination Zone for the inner content.
   1. Specify the Tunnel Source Zone and Tunnel Destination Zone (that you just added) for the inner content. Select PoliciesTunnel Inspection and on the General tab, select the Name of the tunnel inspection policy rule you created.
   2. Select Inspection.
   3. Select Security Options.
   4. Enable Security Options (disabled by default) to cause the inner content source to belong to the Tunnel Source Zone you specify and to cause the inner content destination to belong to the Tunnel Destination Zone you specify.
      If you don’t Enable Security Options, the inner content source belongs to the same source zone as the outer tunnel source and the inner content destination belongs to the same destination zone as the outer tunnel destination, which means they are subject to the same Security policy rules that apply to those outer zones.
   5. For Tunnel Source Zone, select the appropriate tunnel zone you created in the previous step so that the policies associated with that zone apply to the tunnel source zone. Otherwise, by default, the inner content will use the same source zone that is used in the outer tunnel and the policies of the outer tunnel source zone apply to the inner content source zone, as well.
   6. For Tunnel Destination Zone, select the appropriate tunnel zone you created in the previous step so that the policies associated with that zone apply to the tunnel destination zone. Otherwise, by default, the inner content will use the same destination zone that is used in the outer tunnel and the policies of the outer tunnel destination zone apply to the inner content destination zone, as well.
      If you configure a Tunnel Source Zone and Tunnel Destination Zone for the tunnel inspection policy rule, you should configure a specific Source Zone (in Step 3) and a specific Destination Zone (in Step 4) in the match criteria of the tunnel inspection policy rule, instead of specifying a Source Zone of Any and a Destination Zone of Any. This tip ensures the direction of zone reassignment corresponds appropriately to the parent zones.
      On a PA-5200 Series or PA-7080 firewall, if you use multicast underlay while inspecting VXLAN, the inner session would be duplicated on multiple dataplanes and a race condition could happen. To avoid the drop of some packets, the following requirements apply:

      • You must configure a separate tunnel content inspection rule to match outer VXLAN packets going to each VXLAN tunnel endpoint (VTEP).
      • In the separate rule, you assign a tunnel zone. Using a different tunnel zone would make the inner session different for each endpoint. The race condition would not happen, and no packet drop would be seen.
   7. Click OK.
10. Set monitoring options for traffic that matches a tunnel inspection policy rule.
    1. Select PoliciesTunnel Inspection and select the tunnel inspection policy rule you created.
    2. Select InspectionMonitor Options.
    3. Enter a Monitor Name to group similar traffic together for purposes of logging and reporting.
    4. Enter a Monitor Tag (number) to group similar traffic together for logging and reporting (range is 1 to 16,777,215). The tag number is globally defined.
       This field does not apply to the VXLAN protocol. VXLAN logs automatically use the VNI ID from the VXLAN header.

       If you tag tunnel traffic, you can later filter on the Monitor Tag in the tunnel inspection log and use the ACC to view tunnel activity based on Monitor Tag.
    5. Override Security Rule Log Setting to enable logging and log forwarding options for sessions that meet the selected tunnel inspection policy rule. If you don’t select this setting, tunnel log generation and log forwarding are determined by the log settings for the Security policy rule that applies to the tunnel traffic. You can override log forwarding settings in Security policy rules that control traffic logs by configuring tunnel inspection log settings to store tunnel logs separately from traffic logs. The tunnel inspection logs store the outer tunnel (GRE, non-encrypted IPSec, VXLAN, or GTP-U) sessions and the traffic logs store the inner traffic flows.
    6. Select Log at Session Start to log traffic at the start of a session.
       The best practice for Tunnel logs is to log both at session start and session end because tunnels can stay up for long periods of time. For example, GRE tunnels can come up when the router boots and never terminate until the router is rebooted. If you don’t log at session start, you will never see in the ACC that there is an active GRE tunnel.
    7. Select Log at Session End to log traffic at the end of a session.
    8. Select a Log Forwarding profile that determines where the firewall forwards tunnel logs for sessions that meet the tunnel inspection rule. Alternatively, you can create a new Log Forwarding profile if you Configure Log Forwarding.
    9. Click OK.
11. (Optional, VXLAN Only) Configure a VXLAN ID (VNI). By default, all VXLAN network interfaces (VNIs) are inspected. If you configure one or more VXLAN IDs, the policy inspects only those VNIs.
    Only the VXLAN protocol uses the Tunnel ID tab to specify the VNI.
    1. Select the Tunnel ID tab and click Add.
    2. Assign a Name. The name is a convenience, and is not a factor in logging, monitoring, or reporting.
    3. In the VXLAN ID (VNI) field, enter a single VNI, a comma-separated list of VNIs, a range of VNIs (with a hyphen as the separator), or a combination of these. For example, you can specify:
       1677002,1677003,1677011-1677038,1024
12. (Optional) If you enabled Rematch Sessions (DeviceSetupSession), ensure the firewall doesn’t drop existing sessions when you create or revise a tunnel inspection policy by disabling Reject Non-SYN TCP for the zones that control your tunnel Security policy rules.
    The firewall displays the following warning when you:

    • Create a tunnel inspection policy rule.
    • Edit a tunnel inspection policy rule by adding a Protocol or by increasing the Maximum Tunnel Inspection Levels from One Level to Two Levels.
    • Enable Security Options in the Security Options tab by either adding new zones or changing one zone to another zone.

    Warning: Enabling tunnel inspection policies on existing tunnel sessions will cause existing TCP sessions inside the tunnel to be treated as non-syn-tcp flows. To ensure existing sessions are not dropped when the tunnel inspection policy is enabled, set the Reject Non-SYN TCP setting for the zone(s) to no using a Zone Protection profile and apply it to the zones that control the tunnel’s security policies. Once the existing sessions have been recognized by the firewall, you can re-enable the Reject Non-SYN TCP setting by setting it to yes or global.
    1. Select NetworkNetwork ProfilesZone Protection and Add a profile.
    2. Enter a Name for the profile.
    3. Select Packet Based Attack ProtectionTCP Drop.
    4. For Reject Non-SYN TCP, select no.
    5. Click OK.
    6. Select NetworkZones and select the zone that controls your tunnel Security policy rules.
    7. For Zone Protection Profile, select the Zone Protection profile you just created.
    8. Click OK.
    9. Repeat the previous three substeps (12.f, 12.g, and 12.h) to apply the Zone Protection profile to additional zones that control your tunnel Security policy rules.
    10. After the firewall has recognized the existing sessions, you can re-enable Reject Non-SYN TCP by setting it to yes or global.
13. (Optional) Limit fragmentation of traffic in a tunnel.
    1. Select NetworkNetwork ProfilesZone Protection and Add a profile by Name.
    2. Enter a Description.
    3. Select Packet Based Attack ProtectionIP DropFragmented traffic.
    4. Click OK.
    5. Select NetworkZones and select the tunnel zone where you want to limit fragmentation.
    6. For Zone Protection Profile, select the profile you just created to apply the Zone Protection profile to the tunnel zone.
    7. Click OK.
14. Commit your changes.