8.3. Tunnel Inspection

This section allows the administrator to configure the inspection of data transmitted using the following tunneling protocols:

  • GRE (Generic Routing Encapsulation): a network packet tunneling protocol developed by Cisco Systems. Its main purpose is encapsulating network-layer packets inside IP packets.

  • GTP-U (General Packet Radio Service (GPRS) Tunneling Protocol for User Data): a protocol used to transfer user data in the GPRS core network and between the radio access network and core network.

  • Non-encrypted IPSec (IPsec Null Encryption): a tunneling protocol for transmitting unencrypted data over an IPsec tunnel.

UserGate allows tunnel inspection. When this setting is enabled, all tunnels matching the inspection rules will be decrypted, and the traffic inside these tunnels will be processed using firewall, IDPS, and L7 rules. After filtering, the traffic will be encapsulated into a tunnel again and sent to the original destination address.

By default, UserGate has a special zone for tunnel inspection, the Tunnel inspection zone. All source and destination addresses of packets encapsulated into a tunnel will belong to this zone.

Note

All source and destination addresses of packets encapsulated into a tunnel can belong to one zone only.

You can enable inspection and assign another zone for the inspected tunnels in the UserGate --> General settings section, Tunnel inspection zone module.

Note

The rules are applied top to bottom in their listing order. Only the first rule in which all conditions are matched is applied. This means that more specific rules must be placed higher in the list than more general ones. To change the order in which the rules will be applied, use the Up/Down and Top/Bottom buttons or drag and drop the rules with the mouse.

To create a tunnel inspection rule, in the Security policies --> Tunnel inspection section, click Add, and provide the desired settings. All tunnels that match the conditions will be inspected.

Name

Description

Enabled

Enable or disable the tunnel inspection rule.

Name

The name of the inspection rule.

Description

A description of the inspection rule.

Action

The rule's action:

  • Inspect.

  • Bypass.

Tunnel Inspection

Select the tunnel type to inspect:

  • GRE.

  • GTP-U.

  • Non-encrypted IPSec.

Place to

The place in the rule list where this rule will be inserted: at the top, at the bottom, or above the selected existing rule.

Source

The zone, IP address lists, GeoIP address lists, or URL lists of the traffic source.

The URL list must include only domain names. Every 5 minutes UserGate resolves domain names into IP addresses and stores the result in the internal cache for the DNS record's time-to-live (TTL). When the TTL expires, UserGate automatically updates the IP address value.

Important! There is a limit on the number of GeoIPs that can be specified: the number cannot exceed 15.

Important! Traffic processing performed with the following statements:

  • applying logic OR if several IP lists and/or domain lists are specified;

  • applying logic AND if several GeoIP and lists of IPs and/or domains are specified.

Destination

The zone, IP address lists, GeoIP address lists, or URL lists of the traffic destination.

The URL list must include only domain names. Every 5 minutes UserGate resolves domain names into IP addresses and stores the result in the internal cache for the DNS record's time-to-live (TTL). When the TTL expires, UserGate automatically updates the IP address value.

Important! There is a limit on the number of GeoIPs that can be specified: the number cannot exceed 15.

Important! Traffic processing performed with the following statements:

  • applying logic OR if several IP lists and/or domain lists are specified;

  • applying logic AND if several GeoIP and lists of IPs and/or domains are specified.

Note

The Negate checkbox changes the condition to the opposite, which corresponds to a Boolean NOT (negation).