{"id":48711,"date":"2017-11-07T05:00:50","date_gmt":"2017-11-07T13:00:50","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=48711"},"modified":"2017-11-06T21:16:00","modified_gmt":"2017-11-07T05:16:00","slug":"tech-docs-get-tunnel-vision","status":"publish","type":"post","link":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/2017\/11\/tech-docs-get-tunnel-vision\/","title":{"rendered":"Get Some Tunnel Vision!"},"content":{"rendered":"<p><a href=\"https:\/\/www.paloaltonetworks.com\/content\/dam\/pan\/en_US\/assets\/pdf\/technical-documentation\/infographics\/panw-tunnel-content-inspection.pdf\"><div style=\"max-width:100%\" data-width=\"690\"><span class=\"ar-custom\" style=\"padding-bottom:143.19%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"alignnone wp-image-48714 size-full lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2017\/11\/TunnelVision_1.png\" alt=\"TunnelVision_1\" width=\"690\" height=\"988\" \/><\/span><\/div><\/a><\/p>\n<p>Pull back the curtain, turn on the light, put on your x-ray vision goggles and inspect the traffic passing through your cleartext tunnels (GRE, non-encrypted IPSec, or GTP-U tunnels). You want tunnel vision!<\/p>\n<p>You can\u2019t protect against things you can\u2019t see, including sessions tunneled through the firewall. If sessions are tunneled in a protocol such as GRE, without Tunnel Content Inspection you\u2019ll simply see the traffic as GRE and not see the individual applications (or who the source is) within GRE. If tunnel protocols are allowed to go through the firewall, users can avoid full exposure to the firewall and access sites such as proxy-avoidance websites to surf prohibited content or do file transfers.<\/p>\n<p>Tunnel content inspection provides visibility so that you can enforce policy. For example, block packets that contain unknown protocols. Enforce your corporate security and usage policies on tunneled packets.<\/p>\n<p>As the enforcer holding the gavel, you can apply different security rules to the tunnel content versus the rules applied to the inside content. This flexibility helps, for example, when you have separate entities tunneling their traffic and you want to enforce different overarching security policies.<\/p>\n<p>Tag the traffic that is subject to Tunnel Inspection policies so you can use logs and reports to gain full visibility into the traffic.<\/p>\n<p>Don\u2019t let your tunneled traffic go unchecked! Check out <a href=\"https:\/\/www.paloaltonetworks.com\/documentation\/80\/pan-os\/pan-os\/networking\/tunnel-content-inspection\">Tunnel Content Inspection<\/a> in PAN-OS 8.0 and later releases.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Don\u2019t let your tunneled traffic go unchecked! Check out Tunnel Content Inspection in PAN-OS 8.0 and later releases.<\/p>\n","protected":false},"author":144,"featured_media":22684,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[587],"tags":[29,4812],"coauthors":[1383],"class_list":["post-48711","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technical-documentation","tag-threat-prevention","tag-tunnel-content-inspection"],"jetpack_featured_media_url":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/12\/TechDocs_logo.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/48711","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/144"}],"replies":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=48711"}],"version-history":[{"count":3,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/48711\/revisions"}],"predecessor-version":[{"id":48744,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/48711\/revisions\/48744"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/22684"}],"wp:attachment":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=48711"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=48711"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=48711"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=48711"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}