Inner Tunnel Packet Detection

When the FW works in the Layer 2 transparency mode, it supports inner tunnel packet detection and establishes sessions based inner tunnel packet information.

Context

Tunnel packets have outer and inner information. When the FW works in Layer 2 transparent mode, it can parse the outer information of tunnel packets by default, including the tunnel protocol and outer IP address, and establish sessions based on the outer information. The outer information of tunnel packets does not contain port information, and the source and destination ports are displayed as 0.

To implement control based on the inner information of tunnel packets, enable the inner packet detection function so that the FW parses the inner information of tunnel packets (inner protocol, inner IP address, and inner port) and establishes sessions based on the inner information.

Currently, the FW can detect the inner information of the following types of tunnel packets:

GRE
IPv4 over IPv6
IPv6 over IPv4
MPLS
QinQ
PPPoE
You can also run the firewall layer2 pppoe detect enable command to enable the inner information detection for PPPoE packets.
VXLAN
SRv6

Procedure

Access the system view from the user view.
```
system-view
```
Enable inner tunnel packet detection in the Layer 2 transparency scenario.
```
firewall transparent tunnel inspect enable
```
By default, inner tunnel packet detection is disabled in the Layer 2 transparency scenario.

The corresponding security policy needs to be configured to permit inner tunnel packets. Otherwise, no session can be established for inner packets.

When the inner 5-tuple information of different types of tunnels is the same, do not enable the tunnel inner packet detection function. Otherwise, services may be abnormal.

Inner packet detection cannot be implemented for fragmented SRv6, VXLAN, GRE, IPv4 over IPv6, or IPv6 over IPv4 packets.

The FW supports inner QinQ packet detection, and you do not need to enable inner tunnel detection on them.