Configuring Tunnel Inspection Rules

You configure tunnel inspection rules on the security-policy tunnel-inspection level. For more details on the command structure, see Configuring Rules Using UPL.

To create a tunnel inspection rule, use the following command:

Admin@nodename# create security-policy tunnel-inspection <position> upl-rule

Tunnel inspection rule parameters:

Parameter

Description

OK

PASS

Tunnel inspection rule action:

  • OK: inspect

  • PASS: bypass

enabled

Enable/disable a rule:

  • enabled(yes) or enabled(true).

  • enabled(no) or enabled(false).

name

Tunnel inspection rule name.

Example: name("Tunnel inspection rule example").

desc

A description of the rule.

Example: desc("Tunnel inspection rule example configured via CLI").

service

Tunnel type:

  • service = gre: GRE tunnel inspection.

  • service = gtpu: GTP-U tunnel inspection.

  • service = ipsec_null: non-encrypted IPsec tunnel inspection.

src.zone

Traffic source zone.

To specify a source zone, such as Trusted: src.zone = Trusted.

For more details about how to configure zones using CLI, see the Zones section.

src.ip

Add source IP address or domain lists.

To specify a list of IP addresses: src.ip = lib.network(). Provide the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see the Configuring IP addresses section.

To specify a source domain list: src.ip = lib.url(). Provide the URL to which the desired domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see the Configuring URL Lists section.

src.geoip

Source GeoIP. Specify a country code (for example, src.geoip = AE).

Click here for the list of ISO 3166-1 country codes.

Important! The maximum number of GeoIPs that can be specified is limited to 15.

dst.zone

Traffic destination zone, for example, dst.zone = "Tunnel inspection zone".

For more details about how to configure zones using CLI, see the Zones section.

dst.ip

Add lists of destination IP addresses or domains.

To specify a list of IP addresses: dst.ip = lib.network(). Provide the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see the Configuring IP addresses section.

To specify a destination domain list: dst.ip = lib.url(). Provide the URL to which the desired domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see the Configuring URL Lists section.

dst.geoip

To specify a destination GeoIP, it is necessary to specify a country code (for example, dst.geoip = AE).

Click here for the list of ISO 3166-1 country codes.

Important! The maximum number of GeoIPs that can be specified is limited to 15.

To edit a tunnel inspection rule, use the following command:

Admin@nodename# set security-policy tunnel-inspection <position> upl-rule

To view all tunnel inspection rules that were created, use the following command:

Admin@nodename# show security-policy tunnel-inspection

To view a specific tunnel inspection rule, use the following command:

Admin@nodename# show security-policy tunnel-inspection <position>

Example of creating a tunnel inspection rule:

Admin@nodename# create security-policy tunnel-inspection 1 upl-rule PASS \ ...src.zone = Untrusted \ ...dst.zone = Trusted \ ...service = ipsec_null \ ...name("Test tunnel-inspection rule") \ ...desc("Test nunnel-inspection rule description") \ ...enabled(true) ... Admin@nodename# show security-policy tunnel-inspection 1 % ----------------- 1 ----------------- PASS \ src.zone = Untrusted \ dst.zone = Trusted \ service = ipsec_null \ desc("Test nunnel-inspection rule description") \ enabled(true) \ id("051cf677-3d36-4d5c-968f-73c3421c2b28") \ name("Test tunnel-inspection rule")

To remove a tunnel inspection rule, use the following command:

Admin@nodename# delete security-policy tunnel-inspection <position>