Can interface IP in the NAT policy be used to translate GRE pass-through traffic?

• PAN-OS version 9.0 or above
• Firewall is acting only as pass-through device for GRE traffic.
• NAT configured on the firewall using the interface IP address

1. From PAN-OS 9.0 onwards the firewall supports GRE tunnelling.  So the firewall can work as one of the GRE terminate points.
2. if  pass-through GRE traffic is translated to an interface IP address then the firewall will drop the receiving GRE packets. 
3. This is because the firewall considers the packet is for itself and drops the packet since there is no GRE configuration on the firewall as it is a pass-through traffic.
4. This issue is only seen in PAN-OS version 9.0 or above as it supports GRE tunnelling. 
5. Global Counters increment  "flow_gre_tunnel_decap_not_found" counter.

admin@Lab80-156-PA-VM> show counter global filter packet-filter yes delta yes

Global counters:
Elapsed time since last sampling: 2.629 seconds

name                                   value     rate severity  category  aspect    description
--------------------------------------------------------------------------------
flow_gre_tunnel_decap_not_found            1        0 drop      flow      tunnel    GRE Tunnel IPs don't match configuration
appid_ident_by_ip                          1        0 info      appid     pktproc   Application identified by ip protocol
 

6. When the Firewall is below 9.0 PAN-OS version this setup will work.
7. Translate the pass-through GRE traffic to some other IP other than the interface IP to fix the issue.