VXLAN Bridge or Gateway Overview
Each threat defense VTEP acts as a bridge or gateway between end nodes such as VMs, servers, and PCs and the VXLAN overlay network. For incoming frames received with VXLAN encapsulation over the VTEP source interface, the threat defense strips out the VXLAN header and forwards it to a physical interface connected to a non-VXLAN network based on the destination MAC address of the inner Ethernet frame.
The threat defense always processes VXLAN packets; it does not just forward VXLAN packets untouched between two other VTEPs.