Tunnel vs prefilter rules
Whether you configure a tunnel or prefilter rule depends on the specific type of traffic you want to match and the actions or further analysis you want to perform.
|
Characteristic |
Tunnel Rules |
Prefilter Rules |
|---|---|---|
|
Primary function |
Quickly fastpath, block, or rezone plaintext, passthrough tunnels. |
Quickly fastpath or block any other connection that benefits from early handling. |
|
Encapsulation and port/protocol criteria |
Encapsulation conditions match only plaintext tunnels over selected protocols: GRE, IP-in-IP, IPv6-in-IP, Toredo. |
Port conditions can use a wider range of port and protocol constraints than tunnel rules; see Port, protocol, and ICMP code rule conditions. |
|
Network criteria |
Tunnel endpoint conditions constrain the endpoints of the tunnels you want to handle. |
Network conditions constrain the source and destination hosts in each connection. |
|
Direction |
Bidirectional or unidirectional (configurable). Tunnel rules are bidirectional by default, so they can handle all traffic between tunnel endpoints. |
Unidirectional only (nonconfigurable). Prefilter rules match source-to-destination traffic only. Return traffic for allowed connections is also permitted. |
|
Rezone sessions for further analysis |
Supported, using tunnel zones; see Using tunnel zones to apply access control at the tunnel level. |
Not applicable. |