1. Why we use pre filter policy ?

The main reason for using prefilter is to exclude traffic that does not require deep inspection thereby freeing up processing power that would otherwise be used on inspection.

2. pre filter vs access control policy ?

Prefilter is part of access control policy.  Infact it is the first phase of access control policy.  As mentioned earlier prefilter skips many of the more indepth inspections that occur in regular access control policy or even bypass inspection all together.

3. what is tunnel rule vs pre filter rule ?

Tunnel rule matches on a specific tunnel.  That is plain text packets that are encapsulated with an outer header.  I specify plain text because if the inner packet Prefilter rules match traffic that is not classified as tunneled (encapsulated).  Something to keep in mind is that tunneled rules are bidirection while prefilter rules are unidirectional.

4. why we use tunnel zone and what is tunnel rezoning and why its required? 

Tunnel zones are used to prefilter encapsulated packets.  That is, when a plain text encapsulated packet arrives inspection is done on the outer header.  Then you need to rezone the tunnel so the FTD device understands that encapsulated packets are part of the same connection.  This also gives you the option to perform custom inspections on the encapsulated connections.

5. need explanations about Pre filter policy its actions are (analyze,block,fastpath), then in Default action: Analyze all tunnel traffic & Block all tunnel traffic ?

Not entirely sure what you are looking for here.  It is fairly self explanitory with regard to the actions you can take.  But I will explane them anyway.

Analyze -  Analyze traffic with access control policy using the inner header of the encapsulated connection

Block - Block all encapsulated connections

Fastpath - No action is taken on the packet and it is just forwarded

6. How pass through tunnel works with access control policy and encapsulation and inner and outer header?

First, of course, the outer header is handled by prefilter.  At this stage you can block, fastpath, or analyze the encapsulated connection.

If you rezone the encapsulated connection (tunnel) the FTD will then  handle the inner header.

If the tunnel is encrypted then only the outer header is considered when it is being inspected as the FTD can not see into the encrypted packet.  That is unless the FTD is the termination point of the VPN, unecrypts and inspects the traffic, then re-encrypts and sends it.

--

Please remember to select a correct answer and rate helpful posts