GRE security options of the USG6000

The Generic Routing Encapsulation (GRE) protocol encapsulates data packets of certain network-layer protocols, so that the encapsulated packets can travel through another network-layer protocol. GRE is one of the tunneling technologies and is an L3 tunneling protocol. The GRE provides a transmission path for encapsulated packets by establishing a virtual point-to-point connection.

1. Upon receiving an IP packet over an interface connected to the IP network, the firewall enables the IP processing part to process the IP packet. 2. The IP processing part checks the destination address in the packet header to determine the forwarding mode. If the packet needs to pass through the GRE tunnel to arrive at the destination, the IP processing part sends the packet to the corresponding tunnel interface. 3. Upon receiving the packet, the tunnel interface encapsulates the packet with a GRE packet header and then returns the packet to the IP processing part. 4. The IP processing part encapsulates the GRE packet with a new IP packet header (the source address is the tunnel source interface IP address and the destination address is the tunnel destination interface IP address), and forwards the encapsulated IP packet over the physical port connected to the Internet based on the destination address and routing table.

1. Upon receiving an IP packet over the physical port connected to the Internet, the firewall checks the destination address of the packet. If the destination address is the firewall address and the protocol number in the IP packet header is 47 (indicating an encapsulated GRE packet), the firewall removes the IP packet header and enables the GRE protocol processing part to process the packet. 2. After checking and recognizing keywords, the GRE protocol processing part removes the GRE packet header and enables the IP processing part to process the packet. 3. The IP processing part forwards the packet to the IP network.

GRE features are mainly applied in the following scenarios: GRE over IPSec, IPv6 over IPv4 tunnel, expanding the working scope of the network with restricted hops, and GRE VPN.

The USG6000 GRE scenarios are as follows: 1. Static route-based GRE tunnel The NGFW adopts the dynamic routing protocol. Intranet users can transmit data that is not supported by certain public network devices over the GRE tunnel. 2. OSPF-based GRE tunnel The NGFW adopts the OSPF routing protocol. Intranet users can transmit data that is not supported by certain public network devices over the GRE tunnel. For specific scenarios and configuration cases, click Configuring a Static Route-based GRE Tunnel.