if the tunnel is terminated on the firewall, every qspect of the tunnel (transport + packets traversing the tunnel) is inspected
if the tunnel is traversing the firewall, it can only be inspected (via a tunnel inspection policy) if the protocol is GRE, VXLAN or unencrypted (AH) IPSec
regular IPSec tunnels traversing the firewall will still be 'inspected' for vulnerabilities via threat prevention
if the tunnel is terminated on the firewall, every qspect of the tunnel (transport + packets traversing the tunnel) is inspected
if the tunnel is traversing the firewall, it can only be inspected (via a tunnel inspection policy) if the protocol is GRE, VXLAN or unencrypted (AH) IPSec
regular IPSec tunnels traversing the firewall will still be 'inspected' for vulnerabilities via threat prevention