Sorry the direction of the traffic is a little confusing to me. FBF filters are placed on the interface where the packets being redirected enter the SRX.
So if the traffic is coming from another site on the encrypted tunnel into your SRX the filter is on the tunnel interface.
If the traffic is destined to enter the tunnel on your SRX into the tunnel interface the filter would need to be applied on every SRX interface where your internal traffic destined for that tunnel arrives on the SRX.
Steve Puluka BSEET - Juniper Ambassador IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP) http://puluka.com/home