Configure inspection of tunneled traffic

You can define in the Advanced Settings how the IPS engine or Layer 2 Firewall inspects tunneled traffic.

If traffic is tunneled using IP-in-IP or Generic Routing Encapsulation (GRE), the payload of the tunneling packet can be checked against the Access rules several times.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Right-click an IPS or Layer 2 Firewall element, then select Edit <element type>.
  2. In the navigation pane on the left, browse to Advanced Settings > Tunneling.
  3. Define the settings.
  4. Click Save and Refresh to transfer the configuration changes.

Engine Editor > Advanced Settings > Tunneling

Use this branch to change the packet tunneling settings for the engine.

Option Definition
Limit for Rematching Tunneled Traffic Specifies how many times the contents of tunneled packets can be rematched against the IPv6 Access rules or IPv4 Access rules when several layers of tunneling are encountered. The default is 1. When the limit is reached, the action defined in the Action if Limit is Exceeded setting is taken.
Action if Limit is Exceeded Specifies whether remaining encapsulated packets inside the tunneling packet are allowed without further inspection or discarded. The default is to discard the remaining packets. When this action is triggered, you are notified according to the Log Level setting.
Log Level Specifies whether you are notified through a normal (stored) log entry or an Alert when the limit for rematching tunneled traffic is reached.
Alert If you selected Alert as the Log Level, select the Alert element that is used when an event triggers an alert. The Alert elements can be used for matching in Alert Policies. Click Select to select an element.
Set to Default Returns Tunneling changes to the default settings.