Using Tunnel Zones
This example procedure summarizes how you might rezone GRE tunnels for further analysis, using tunnel zones. You can adapt the concepts described in this example to other scenarios where you need to tailor traffic inspection to connections encapsulated in plaintext, passthrough tunnels.
Consider a situation where your organization's internal traffic flows through the Trusted security zone. The Trusted security zone represents a set of interfaces across multiple managed devices deployed in various locations. Your organization's security policy requires that you allow internal traffic after deep inspection for exploits and malware.
Internal traffic sometimes includes plaintext, passthrough, GRE tunnels between particular endpoints. Because the traffic profile of this encapsulated traffic is different from your "normal" interoffice activity—perhaps it is known and benign—you can limit inspection of certain encapsulated connections while still complying with your security policy.
In this example, after you deploy configuration changes:
-
Plaintext, passthrough, GRE-encapsulated tunnels detected in the Trusted zone have their individual encapsulated connections evaluated by one set of intrusion and file policies.
-
All other traffic in the Trusted zone is evaluated with a different set of intrusion and file policies.
You accomplish this task by rezoning GRE tunnels. Rezoning ensures that access control associates GRE-encapsulated connections with a custom tunnel zone, rather than their original Trusted security zone. Rezoning is required due to the way access control handles encapsulated traffic; see Passthrough Tunnels and Access Control and Tunnel Zones and Prefiltering.
Procedure
Step 1 | Configure custom intrusion and file policies that tailor deep inspection to encapsulated traffic, and another set of intrusion and file policies tailored to nonencapsulated traffic. | ||||||||||||
Step 2 | Configure custom prefiltering to rezone GRE tunnels flowing through the Trusted security zone. Create a custom prefilter policy and associate it with access control. In that custom prefilter policy, create a tunnel rule (in this example, GRE_tunnel_rezone) and a corresponding tunnel zone (GRE_tunnel). For more information, see Configure Prefiltering.
| ||||||||||||
Step 3 | Configure access control to handle connections in rezoned tunnels. In the access control policy deployed to your managed devices, configure a rule (in this example, GRE_inspection) that handles the traffic you rezoned. For more information, see Create and Edit Access Control Rules.
| ||||||||||||
Step 4 | Configure access control to handle nonencapsulated connections flowing through the Trusted security zone. In the same access control policy, configure a rule (in this example, internal_default_inspection) that handles non-rezoned traffic in the Trusted security zone.
| ||||||||||||
Step 5 | Evaluate the position of the new access control rules relative to preexisting rules. Change rule order if necessary. If you place the two new access control rules next to each other, it does not matter which you place first. Because you rezoned GRE tunnels, the two rules cannot preempt each other. | ||||||||||||
Step 6 | Save all changed configurations. |
What to do next
-
Deploy configuration changes; see Deploy Configuration Changes.