This section allows the administrator to configure the inspection of data transmitted using the following tunneling protocols:
-
GRE (Generic Routing Encapsulation): a network packet tunneling protocol developed by Cisco Systems. Its main purpose is encapsulating network-layer packets inside IP packets.
-
GTP-U (General Packet Radio Service (GPRS) Tunneling Protocol for User Data): a protocol used to transfer user data in the GPRS core network and between the radio access network and core network.
-
Non-encrypted IPSec (IPsec Null Encryption): a tunneling protocol for transmitting unencrypted data over an IPsec tunnel.
UserGate allows tunnel inspection. When this setting is enabled, all tunnels matching the inspection rules will be decrypted, and the traffic inside these tunnels will be processed using firewall, IDPS, and L7 rules. After filtering, the traffic will be encapsulated into a tunnel again and sent to the original destination address.
By default, UserGate has a special zone for tunnel inspection, the Tunnel inspection zone. All source and destination addresses of packets encapsulated into a tunnel will belong to this zone.
Note
All source and destination addresses of packets encapsulated into a tunnel can belong to one zone only.
You can enable inspection and assign another zone for the inspected tunnels in the UserGate --> General settings section, Tunnel inspection zone module.
Note
The rules are applied top to bottom in their listing order. Only the first rule in which all conditions are matched is applied. This means that more specific rules must be placed higher in the list than more general ones. To change the order in which the rules will be applied, use the Up/Down and Top/Bottom buttons or drag and drop the rules with the mouse.
To create a tunnel inspection rule, in the Security policies --> Tunnel inspection section, click Add, and provide the desired settings. All tunnels that match the conditions will be inspected.
|
Name |
Description |
|---|---|
|
Enabled |
Enable or disable the tunnel inspection rule. |
|
Name |
The name of the inspection rule. |
|
Description |
A description of the inspection rule. |
|
Action |
The rule's action:
|
|
Tunnel Inspection |
Select the tunnel type to inspect:
|
|
Place to |
The place in the rule list where this rule will be inserted: at the top, at the bottom, or above the selected existing rule. |
|
Source |
The zone, IP address lists, GeoIP address lists, or URL lists of the traffic source. The URL list must include only domain names. Every 5 minutes UserGate resolves domain names into IP addresses and stores the result in the internal cache for the DNS record's time-to-live (TTL). When the TTL expires, UserGate automatically updates the IP address value. Important! There is a limit on the number of GeoIPs that can be specified: the number cannot exceed 15. Important! Traffic processing performed with the following statements:
|
|
Destination |
The zone, IP address lists, GeoIP address lists, or URL lists of the traffic destination. The URL list must include only domain names. Every 5 minutes UserGate resolves domain names into IP addresses and stores the result in the internal cache for the DNS record's time-to-live (TTL). When the TTL expires, UserGate automatically updates the IP address value. Important! There is a limit on the number of GeoIPs that can be specified: the number cannot exceed 15. Important! Traffic processing performed with the following statements:
|
Note
The Negate checkbox changes the condition to the opposite, which corresponds to a Boolean NOT (negation).