In full-tunnel site-to-site VPN scenarios, all Internet traffic from the remote sites passes through the full-tunnel concentrator before being sent out to the Internet. This article describes how content filtering and threat protection are applied to Internet traffic in full-tunnel VPN scenarios.
The image below shows an MX60 and Z1 configured for full-tunnel Site-to-site VPN, terminating at the MX100:
The full-tunnel concentrator does not apply content filtering rules to VPN clients from remote subnets. Instead, Content filtering in full-tunnel scenarios is done locally at the source MX before the traffic is encrypted and encapsulated for the VPN.
In the above example, the MX60 and Z1 are full-tunneling to the MX100. the MX60 applies any configured Content filtering rules before sending the traffic across the VPN tunnel to the MX100. However, the MX100 does not apply its local Content filtering rules to inbound VPN traffic from the MX60. Since the Z1 does not support content filtering, traffic from the Z1's local subnet will not be filtered.
Note: Security reporting (IDS) will occur at the hub site, so traffic sent from the Z1 or MX60 will be scanned on the MX100. Other security features will only be applied by the spoke appliances.