Security policy support for security inspection on VXLAN tunnels

You can perform security inspection on VXLAN tunnels by performing policy control twice. Configure an outer policy for the outer header and an inner policy for the inner header. Configure a tunnel inspection profile to connect the outer policy and inner policy. The tunnel inspection profile is attached to the outer policy and it points to a group of inner policies (policy set). When the packet matches the outer policy, the SRX device decapsulates the packet to get the inner header. Using inner packet content along with the attached tunnel inspection profile of outer policy, the second policy lookup gets the desired inner policy applies the security services to inner packet.