Pull back the curtain, turn on the light, put on your x-ray vision goggles and inspect the traffic passing through your cleartext tunnels (GRE, non-encrypted IPSec, or GTP-U tunnels). You want tunnel vision!
You can’t protect against things you can’t see, including sessions tunneled through the firewall. If sessions are tunneled in a protocol such as GRE, without Tunnel Content Inspection you’ll simply see the traffic as GRE and not see the individual applications (or who the source is) within GRE. If tunnel protocols are allowed to go through the firewall, users can avoid full exposure to the firewall and access sites such as proxy-avoidance websites to surf prohibited content or do file transfers.
Tunnel content inspection provides visibility so that you can enforce policy. For example, block packets that contain unknown protocols. Enforce your corporate security and usage policies on tunneled packets.
As the enforcer holding the gavel, you can apply different security rules to the tunnel content versus the rules applied to the inside content. This flexibility helps, for example, when you have separate entities tunneling their traffic and you want to enforce different overarching security policies.
Tag the traffic that is subject to Tunnel Inspection policies so you can use logs and reports to gain full visibility into the traffic.
Don’t let your tunneled traffic go unchecked! Check out Tunnel Content Inspection in PAN-OS 8.0 and later releases.