firewall transparent tunnel inspect enable

By default, inner tunnel packet detection is disabled in the Layer 2 transparency scenario.

Tunnel packets have outer and inner information. When the FW works in Layer 2 transparent mode, it can parse the outer information of tunnel packets by default, including the tunnel protocol and outer IP address, and establish sessions based on the outer information. The outer information of tunnel packets does not contain port information, and the source and destination ports are displayed as 0.

To implement control based on the inner information of tunnel packets, enable the inner packet detection function so that the FW parses the inner information of tunnel packets (inner protocol, inner IP address, and inner port) and establishes sessions based on the inner information.

The corresponding security policy needs to be configured to permit inner tunnel packets. Otherwise, no session can be established for inner packets.

When the inner 5-tuple information of different types of tunnels is the same, do not enable the tunnel inner packet detection function. Otherwise, services may be abnormal.

Inner packet detection cannot be implemented for fragmented SRv6, VXLAN, GRE, IPv4 over IPv6, or IPv6 over IPv4 packets.

The FW supports inner QinQ packet detection, and you do not need to enable inner tunnel detection on them.