Using tunnel zones to apply access control at the tunnel level

As explained in How the system processes plain-text tunnels, once a plain-text tunneled connection passes through the prefilter policy, the access control policy applies its rules to each connection contained within the tunnel.

However, you might want to apply the same policy to all the connections within a tunnel. For example, you might have a special intrusion policy you want to use for tunneled connections.

To make it possible to apply access control rules to all connections within a tunnel, you must use the prefilter policy to re-zone the tunnel. Re-zoning applies a tunnel zone tag to the plain-text tunnel. You can then use that tunnel zone instead of a security zone when you define the source interface criterion of an access control rule.

Because a tunnel zone does not contain interfaces, the source interface through which the tunnel enters the device is not relevant. You can apply the tunnel zone tag to multiple different tunnels that enter the device through different interfaces and have access control treat them all in a like manner.

Note	Connections in rezoned tunnels do not match security zone constraints in an access control rule. After you rezone a tunnel, access control rules can match its encapsulated connections with their newly assigned tunnel zone, but not with any original security zone.

See How to rezone tunnels for customized inspection for a walkthrough of a tunnel zone implementation, and a discussion of the implications of rezoning without explicitly handling rezoned traffic.