Tunnel Inspection

This section allows the administrator to configure the inspection of data transmitted using the following tunneling protocols:

  • GRE (Generic Routing Encapsulation): a network packet tunneling protocol developed by Cisco Systems. Its main purpose is encapsulating network-layer packets inside IP packets.

  • GTP-U (General Packet Radio Service (GPRS) Tunneling Protocol for User Data): a protocol used to transfer user data in the GPRS core network and between the radio access network and core network.

  • Non-encrypted IPSec (IPsec Null Encryption): a tunneling protocol for transmitting unencrypted data over an IPsec tunnel.

After enabling this feature, all tunnels that comply with inspection rules will be deencapsulated. Traffic passing inside these tunnels will be processed using firewall rules and security policies. After filtering, the traffic will be encapsulated back into the tunnel and forwarded to the original destination address.

By default, NGFW has a special zone for tunnel inspection, the Tunnel inspection zone. All source and destination addresses of packets encapsulated into a tunnel will belong to this zone.

Note All source and destination addresses of packets encapsulated into a tunnel can belong to one zone only.

You can enable inspection and assign another zone for the inspected tunnels in the UserGate ➜ General settings section, Tunnel inspection zone module.

Note The rules are applied top to bottom in their listing order. Only the first rule in which all conditions are matched is applied. This means that more specific rules must be placed higher in the list than more general ones. To change the order in which the rules will be applied, use the Up/Down and Top/Bottom buttons or drag and drop the rules with the mouse.

To create a tunnel inspection rule, in the Security policies ➜ Tunnel inspection section, click Add, and provide the desired settings. All tunnels that match the conditions will be inspected.

Name

Description

Enabled

Enable or disable the tunnel inspection rule.

Name

The name of the inspection rule.

Description

A description of the inspection rule.

Action

The rule's action:

  • Inspect.

  • Bypass.

Tunnel Inspection

Select the tunnel type to inspect:

  • GRE.

  • GTP-U.

  • Non-encrypted IPSec.

Place to

The place in the rule list where this rule will be inserted: at the top, at the bottom, or above the selected existing rule.

Source

The zone, IP address lists, Geo-IP address lists, or URL lists of the traffic source.

Important! The maximum number of GeoIPs that can be specified is limited to 15.

The URL list must include only domain names. Every 5 minutes NGFW resolves domain names into IP addresses and stores the result in the internal cache for the DNS record's time-to-live (TTL). When the TTL expires, NGFW automatically updates the IP address value.

Destination

The zone, IP address lists, Geo-IP address lists, or URL lists of the traffic destination.

Important! The maximum number of GeoIPs that can be specified is limited to 15.

The URL list must include only domain names. Every 5 minutes NGFW resolves domain names into IP addresses and stores the result in the internal cache for the DNS record's time-to-live (TTL). When the TTL expires, NGFW automatically updates the IP address value.

Note The Negate checkbox changes the condition to the opposite, which corresponds to a Boolean NOT (negation).