Configuring tunnel rules

You can also right-click a rule and select Insert New Tunnel Rule.

• Fastpath—Exempts matching traffic from all further inspection and control, including access control, identity requirements, and rate limiting. Fastpathing a tunnel fastpaths all encapsulated connections. These connections are eligible for flow offload if the device supports it.

• Block—Blocks matching traffic without further inspection of any kind. Blocking a tunnel blocks all encapsulated connections.

• Analyze—Allows traffic to continue to be analyzed by the rest of access control using inner headers.. If passed by access control and any related deep inspection, this traffic may also be rate limited.

The default is to insert the rule at the end of the policy, but you can select an existing rule and insert the new rule before or after that rule. The action of the first rule that matches a connection is applied to that connection, so order matters.

Leave this option blank if you want access control to apply to the encapsulated connections within the tunnel without special processing. For more information about rezoning and tunnel group tags, see:

• Using tunnel zones to apply access control at the tunnel level

• Creating tunnel zones

• How to rezone tunnels for customized inspection

Caution

Exercise caution when assigning tunnel zones. Connections in rezoned tunnels may not match security zone constraints in later evaluation. See How to rezone tunnels for customized inspection for a brief walkthrough of a tunnel zone implementation, and a discussion of the implications of rezoning without explicitly handling rezoned traffic.

You can limit what times of day, or which days, a rule is operational. For example, the rule could apply during business hours only. Select an existing time range object or create a new one. For more information, see Creating Time Range Objects.

• Match tunnels only from source (unidirectional)—Match source-to-destination traffic only. Matching traffic must originate from one of the specified source interfaces or tunnel endpoints, and leave through one of the destination interfaces or tunnel endpoints. Return traffic for allowed connections is also permitted. (Note that prefilter rules are always unidirectional.)

• Match tunnels from source and destination (bidirectional)—Match both source-to-destination traffic and destination-to-source traffic. The effect is identical to writing two unidirectional rules, one the mirror of the other. This is the default.

You must select at least one of these options in a tunnel rule to specify the encapsulation protocol used. The list includes the IP protocol number for the option.

• GRE (47)

• IP-in-IP (4)

• IPv6-in-IP (41)

• Teredo (UDP (17)/3455)

The rule is applied to connections that match all of the conditions. Within a condition type, separate elements are OR’ed, so that matching any of the selected items counts as a match. For the rule as a whole, all condition types are AND’ed: a connection must match at least one item on each tab to match the rule. You can use the following types of conditions:

• Interface Objects—Select the security zones or interface groups that contain the interfaces to which the rule should apply. The default, no objects selected, applies the rule to all interfaces on the device.

• Tunnel Endpoints—The network objects that define the source (Add to Source) and destination (Add to Destination) IP addresses of the tunnel. The default (no objects selected) matches all source and destination IP addresses.

• VLAN tags—Select the objects that define the VLANs to which the rule should apply. For more information, see VLAN tags rule conditions.