12.10.3. Configuring tunnel inspection rules

You configure tunnel inspection rules on the security-policy tunnel-inspection level. For more details on the command structure, see Configuring Rules Using UPL.

Specify the following parameters:

Parameter	Description
OK PASS	Tunnel inspection rule action: OK: inspect. PASS: bypass.
enabled	Enable/disable a rule: enabled(yes) or enabled(true). enabled(no) or enabled(false).
name	Tunnel inspection rule name. Example: name("Tunnel inspection rule example").
desc	A description of the rule. Example: desc("Tunnel inspection rule example configured via CLI").
service	Tunnel type: service = gre: GRE tunnel inspection. service = gtpu: GTP-U tunnel inspection. service = ipsec_null: non-encrypted IPsec tunnel inspection
src.zone	Traffic source zone. To specify a source zone, such as Trusted: src.zone = Trusted. For more details about configuring zones using the CLI, see Zones.
src.ip	Add source IP address or domain lists. Example for IP addresses: src.ip = lib.network(). Specify the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see Configuring IP addresses. Example for domains: src.ip = lib.url(). Specify the URL to which necessary domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see Configuring URL lists.
src.geoip	Source GeoIP. Specify a country code (for example, src.geoip = AE). Click here for the list of ISO 3166-1 country codes. Important! There is a limit on the number of GeoIPs that can be specified: the number cannot exceed 15.
dst.zone	Traffic destination zone, e.g. dst.zone = "Tunnel inspection zone". For more details about configuring zones using the CLI, see Zones.
dst.ip	Add lists of destination IP addresses or domains. To specify an IP address list: dst.ip = lib.network(). Specify the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see Configuring IP addresses. To specify a domain list: dst.ip = lib.url(). Specify the URL to which the necessary domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see Configuring URL lists.
dst.geoip	Destination GeoIP. Specify a country code (for example, dst.geoip = AE). Click here for the list of ISO 3166-1 country codes. Important! There is a limit on the number of GeoIPs that can be specified: the number cannot exceed 15.