Rematching tunneled packets in Access rules

You can rematch encapsulated traffic against the Access rules.

If an engine inspects traffic that is tunneled using IP-in-IP tunneling or Generic Routing Encapsulation (GRE), the traffic can be checked against IPv4 or IPv6 Access rules several times. The number of checks depends on the number and type of layers in the tunnel.

For example, when an IPv4 datagram contains an IPv6 datagram, the IPv4 datagram is first matched according to Access rules. If the tunneling Service in the Access rule specifies that the encapsulated IPv6 datagram should be matched again, the contents are then matched against the IPv6 Access rules.

To limit the number of encapsulating layers, the engine properties define the maximum rematch count. By default, the maximum rematch count is 1. If this count is exceeded, the packet is allowed or discarded according to the setting specified in the engine properties and a log or an alert is generated.