https://community.cisco.com/t5/network-security/fmc-tunnel-amp-prefilter-rules/m-p/3345550#M1033081 <P>Hi.&nbsp;</P> <P>I believe it's a simple topic which has not been explained very clearly. I read about Tunnel &amp; Prefilter rules on Cisco website and even on the books, but none of them was clear enough. So, Would u ask my questions here?</P> <P>&nbsp;</P> <P>1. supposing we have not configured any&nbsp;<SPAN>Tunnel &amp; Prefilter rules on FMC, if device gets a sample non-encrypted tunneled packet, e.g. GRE, what will be the process? Is it goes through normal Access Policies in "decapsulated" form (so access policies analyze only inner header) or in "encapsulated" form (so access policies analyze outer header)?</SPAN></P> <P>&nbsp;</P> <P><SPAN>2. If we have configured a tunnel rule with "Analyze" action, will matched packets forwarded to be analyzed by normal access policies?&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>3. supposing we have configured rules as below:</SPAN></P> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="fmc5.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/8691i458BB858526816E7/image-size/large?v=v2&amp;px=999" role="button" title="fmc5.png" alt="fmc5.png" /></span></SPAN></P> <P>&nbsp;</P> <P><SPAN>What will happen if we get:</SPAN></P> <P><SPAN>A) a FTP packet encapsulated inside a GRE packet&nbsp;</SPAN></P> <P><SPAN>B) a SSH packet encapsulated inside a GRE packet</SPAN></P> <P><SPAN>C) a IPv6 FTP packet encapsulated as IPv6-in-IP</SPAN></P> <P>&nbsp;</P> <P><SPAN>tnx a lot.</SPAN></P> Fri, 21 Feb 2020 15:29:51 GMT ciscoworlds 2020-02-21T15:29:51Z https://community.cisco.com/t5/network-security/fmc-tunnel-amp-prefilter-rules/m-p/3345550#M1033081 <P>Hi.&nbsp;</P> <P>I believe it's a simple topic which has not been explained very clearly. I read about Tunnel &amp; Prefilter rules on Cisco website and even on the books, but none of them was clear enough. So, Would u ask my questions here?</P> <P>&nbsp;</P> <P>1. supposing we have not configured any&nbsp;<SPAN>Tunnel &amp; Prefilter rules on FMC, if device gets a sample non-encrypted tunneled packet, e.g. GRE, what will be the process? Is it goes through normal Access Policies in "decapsulated" form (so access policies analyze only inner header) or in "encapsulated" form (so access policies analyze outer header)?</SPAN></P> <P>&nbsp;</P> <P><SPAN>2. If we have configured a tunnel rule with "Analyze" action, will matched packets forwarded to be analyzed by normal access policies?&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>3. supposing we have configured rules as below:</SPAN></P> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="fmc5.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/8691i458BB858526816E7/image-size/large?v=v2&amp;px=999" role="button" title="fmc5.png" alt="fmc5.png" /></span></SPAN></P> <P>&nbsp;</P> <P><SPAN>What will happen if we get:</SPAN></P> <P><SPAN>A) a FTP packet encapsulated inside a GRE packet&nbsp;</SPAN></P> <P><SPAN>B) a SSH packet encapsulated inside a GRE packet</SPAN></P> <P><SPAN>C) a IPv6 FTP packet encapsulated as IPv6-in-IP</SPAN></P> <P>&nbsp;</P> <P><SPAN>tnx a lot.</SPAN></P> Fri, 21 Feb 2020 15:29:51 GMT https://community.cisco.com/t5/network-security/fmc-tunnel-amp-prefilter-rules/m-p/3345550#M1033081 ciscoworlds 2020-02-21T15:29:51Z https://community.cisco.com/t5/network-security/fmc-tunnel-amp-prefilter-rules/m-p/5275809#M1120307 <P>Old topic, STILL relevant though.&nbsp; I have a similar situation regarding pre-filters that I have yet to have had answered as well.&nbsp; Mine deals with WCCP tunneling. How can I create a pre-filter rule that ignores&nbsp; the GRE over WCCP tunnels when running through an FTD between core network where the WSA resides and the firewall that is sandwiched between two IPS that is the WCCP endpoint and 443 redirector?</P><P>&nbsp;</P><P>BTW thanks to the OP for the information posted. I had assumed that nothing could be added to the policy, turns out just to the default policy.</P> Thu, 27 Mar 2025 15:03:35 GMT https://community.cisco.com/t5/network-security/fmc-tunnel-amp-prefilter-rules/m-p/5275809#M1120307 tahscolony 2025-03-27T15:03:35Z