GRE Tunnel Overview
Updated on
Aug 21, 2024
Focus
Updated on
Aug 21, 2024
Focus
Table of Contents
End-of-Life (EoL)
A Generic Routing Encapsulation (GRE) tunnel connectstwo endpoints in a point-to-point, logical link.
A Generic Routing Encapsulation (GRE) tunnelconnects two endpoints (a firewall and another appliance) in a point-to-point,logical link. The firewall can terminate GRE tunnels; you can routeor forward packets to a GRE tunnel. GRE tunnels are simple to useand often the tunneling protocol of choice for point-to-point connectivity, especiallyto services in the cloud or to partner networks.
Create a GRE tunnel whenyou want to direct packets that are destined for an IP address totake a certain point-to-point path, for example to a cloud-basedproxy or to a partner network. The packets travel through the GREtunnel (over a transit network such as the internet) to the cloudservice while on their way to the destination address. This enablesthe cloud service to enforce its services or policies on the packets.
The following figure is an example of a GRE tunnel connectingthe firewall across the internet to a cloud service.
For better performance and to avoid single points of failure,split multiple connections to the firewall among multiple GRE tunnelsrather than use a single tunnel. Each GRE tunnel needs a tunnelinterface.
When the firewall allows a packet to pass (based on a policymatch) and the packet egresses to a GRE tunnel interface, the firewalladds GRE encapsulation; it doesn’t generate a session. The firewalldoes not perform a Security policy rule lookup for the GRE-encapsulatedtraffic, so you don’t need a Security policy rule for the GRE traffic that the firewallencapsulates. However, when the firewall receives GRE traffic, itgenerates a session and applies all policies to the GRE IP headerin addition to the encapsulated traffic. The firewall treats thereceived GRE packet like any other packet. Therefore:
If the firewall receives the GRE packet on an interfacethat has the same zone as the tunnel interface associated with theGRE tunnel (for example, tunnel.1), the source zone is the sameas the destination zone. By default, traffic is allowed within azone (intrazone traffic), so the ingress GRE traffic is allowedby default.
However, if you configured your own intrazone Security policyrule to deny such traffic, you must explicitly allow GRE traffic.
Likewise, if the zone of the tunnel interface associated withthe GRE tunnel (for example, tunnel.1) is a different zone fromthat of the ingress interface, you must configure a Security policyrule to allow the GRE traffic.
Because the firewall encapsulates the tunneled packet in a GREpacket, the additional 24 bytes of GRE header automatically resultin a smaller Maximum Segment Size (MSS) in themaximum transmission unit (MTU). If you don’t change the IPv4 MSSAdjustment Size for the interface, the firewall reduces the MTUby 64 bytes by default (40 bytes of IP header + 24 bytes of GREheader). This means if the default MTU is 1,500 bytes, the MSS willbe 1,436 bytes (1,500 - 40 - 24 = 1,436). If you configure an MSSAdjustment Size of 300 bytes, for example, the MSS will be only 1,176bytes (1,500 - 300 - 24 = 1,176).
The firewall does not support routing a GRE or IPSec tunnel toa GRE tunnel, but you can route a GRE tunnel to an IPSec tunnel.Additionally:
A GRE tunnel does not support QoS.
The firewall does not support a single interface acting asboth a GRE tunnel endpoint and a decryption broker.
GRE tunneling does not support NAT between GRE tunnel endpoints.
If you need to connect to another vendor’s network, werecommend you Set Up an IPSec Tunnel, not a GREtunnel; you should use a GRE tunnel only if that is the only point-to-pointtunnel mechanism that the vendor supports. You can also enable GREover IPSec if the remote endpoint requires that ( Add GREEncapsulation AddGRE Encapsulation
If you aren’t planning to terminate a GREtunnel on the firewall, but you want the ability to inspect andcontrol traffic passing through the firewall inside a GRE tunnel,don’t create a GRE tunnel. Instead, perform Tunnel Content Inspection of GREtraffic. With tunnel content inspection, you are inspecting and enforcingpolicy on GRE traffic passing through the firewall, not creatinga point-to-point, logical link for the purpose of directing traffic.
"); adBlockNotification.append($( "Thanks for visiting https://docs.paloaltonetworks.com. To improve your experience when accessing content across our site, please add the domain to the allow list on your ad blocker application." )); let adBlockNotificationClose = $("x"); adBlockNotification.prepend(adBlockNotificationClose) $('body').append(adBlockNotification); setTimeout(function (e) { adBlockNotification.addClass('open'); }, 10); adBlockNotificationClose.on('click', function (e) { adBlockNotification.removeClass('open'); }) } }, 5000)
Recommended For You
{{ if(( raw.pantechdoctype != "techdocsAuthoredContentPage" && raw.objecttype != "Knowledge" && raw.pancommonsourcename != "TD pan.dev Docs")) { }} {{ if (raw.panbooktype) { }} {{ if (raw.panbooktype.indexOf('PANW Yellow Theme') != -1){ }}
{{ } else if (raw.panbooktype.indexOf('PANW Green Theme') != -1){ }}
{{ } else if (raw.panbooktype.indexOf('PANW Blue Theme') != -1){ }}
{{ } else { }}
{{ } }} {{ } else { }}
{{ } }} {{ } else { }} {{ if (raw.pantechdoctype == "pdf"){ }}
{{ } else if (raw.objecttype == "Knowledge") { }}
{{ } else if (raw.pancommonsourcename == "TD pan.dev Docs") { }}
{{ } else if (raw.pancommonsourcename == "LIVEcommunity Public") { }}
{{ } else { }}
{{ } }} {{ } }}
{{ if (raw.pancommonsourcename == "LIVEcommunity Public") { }}
{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}
{{ } else { }}
{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}
{{ } }}
{{ if (raw.pancommonsourcename != "TD pan.dev Docs"){ }} {{ if (raw.pandevdocsosversion){ }} {{ } else { }} {{ if ((_.size(raw.panosversion)>0) && !(_.isNull(raw.panconversationid )) && (!(_.isEmpty(raw.panconversationid ))) && !(_.isNull(raw.otherversions ))) { }} (See other versions) {{ } }} {{ } }} {{ } }}
{{ } }}{{ if (raw.pantechdoctype == "bookDetailPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "bookLandingPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "productLanding"){ }}
{{ } }}{{ if (raw.pantechdoctype == "techdocsAuthoredContentPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}
