Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1192
Views
0
Helpful
3
Replies

Firepwer 7000 and GRE traffic decapsulation

Mohammed Ashraf Ali
Level 1
Level 1

‎03-23-2019 04:19 AM

Hi,

 

We have Cisco Firepower 7000 series boxes running 6.2.3 installed in transparent mode in our customer network managed by FMC.

The customer has some Gre tunnel traffic passing through PF , which is being decapsulated/decrypted.

 

The customer has requested us to stop decapsulation/decryption of Gre in FP , and allow the traffic to by pass inspection.

As per i know there is no way to add pre-filters for FP 7000 series. so what is the alternative to achieve the same.

 

Regards,

 

 

 

Labels:
0 Helpful
3 Replies 3

Abheesh Kumar
VIP Alumni
VIP Alumni

‎03-23-2019 04:56 AM - edited ‎03-23-2019 04:59 AM

Hi,
Try creating a trust rule with source/destination (inner header) for the GRE tunneled traffic.

Hope This Helps
Abheesh

0 Helpful

Mohammed Ashraf Ali
Level 1
Level 1
In response to Abheesh Kumar

‎03-23-2019 08:36 AM

Hi,

 

Thanks for reply,

But The requirement is to stop decryption of GRE traffic, rather than bypassing inspection of GRE inner header traffic.

 

regards,

0 Helpful

Ilkin
Cisco Employee
Cisco Employee
In response to Mohammed Ashraf Ali

‎03-26-2019 12:46 AM

Classic Firepower devices use outer headers of GRE encapsulated packets for policy matching. In customer`s is the policy matches based on the inner addresses?
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card