TippingPoint NGFW devices that are terminating IPsec VPN tunnels, can inspect the traffic within the tunnel. As the VPN traffic is decrypted, the content can be inspected by the device preventing any use of vulnerabilities through client-to-site or site-to-site tunnels. As with the IPS/TPS, encrypted traffic passing through the NGFW cannot be inspected.
Note: It is a recommended best practice to utilize inspection bypass rules to bypass encrypted traffic. This is recommended because the IPS/TPS cannot inspect encrypted traffic and attempting to do so can impact performance and cause unnecessary CPU processing load.