Objects > Security Profiles > Mobile Network Protection
Table of Contents
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > Interfaces > PoE
- Network > Interfaces > Cellular
- Network > Interfaces > Fail Open
- Network > VLANs
- Network > Virtual Wires
-
- Network > Routing > Logical Routers > General
- Network > Routing > Logical Routers > Static
- Network > Routing > Logical Routers > OSPF
- Network > Routing > Logical Routers > OSPFv3
- Network > Routing > Logical Routers > RIPv2
- Network > Routing > Logical Routers > BGP
- Network > Routing > Logical Routers > Multicast
-
- Network > Routing > Routing Profiles > BGP
- Network > Routing > Routing Profiles > BFD
- Network > Routing > Routing Profiles > OSPF
- Network > Routing > Routing Profiles > OSPFv3
- Network > Routing > Routing Profiles > RIPv2
- Network > Routing > Routing Profiles > Filters
- Network > Routing > Routing Profiles > Multicast
- Network > Proxy
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
- Network > Network Profiles > MACsec Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > ACE
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > IoT Security > DHCP Server Log Ingestion
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > SCP
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
- Device > Policy Recommendation > IoT or SaaS > Import Policy Rule
-
- Device > User Identification > Connection Security
- Device > User Identification > Terminal Server Agents
- Device > User Identification > Group Mapping Settings
- Device > User Identification> Trusted Source Address
- Device > User Identification > Authentication Portal Settings
- Device > User Identification > Cloud Identity Engine
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Firewall Clusters
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
Objects > Security Profiles > Mobile Network Protection
The Mobile Network Protection profile enables the firewall to inspect GPRS tunneling protocol
(GTP) traffic in 4G networks and Packet Forwarding Control Protocol (PFCP) or HTTP/2
traffic in 5G networks. To view this profile, you must enable GTP Security in Device > Setup >
Management.
Use the options in this profile to enable stateful inspection of:
- 5G HTTP/2
- GTP v1-C
- GTP v2-C
- GTP-U
- PFCP
GTP Inspection Profile Settings | |
---|---|
GTP Inspection | |
GTP-C |
|
GTP-U | Enabling stateful inspection for GTPv1-C, GTPv2-C, or both automatically enables GTP-U stateful
inspection. You
can specify the following validity checks for GTP-U payloads.
You can also configure an allow, block, or alert action for:
|
5G-C | For 5G, enable 5G-HTTP2 to
enable inspection of 5G HTTP/2 control packets, which can contain
subscriber IDs, equipment IDs, and network slice information. This
allows you to correlate subscriber ID (IMSI), equipment ID (IMEI),
and network slice ID information learned from HTTP/2 messages with
the IP traffic encapsulated in GTP-U packets.Enabling 5G-HTTP2 disables
GTP-C for the profile. |
PFCP | For PFCP, enable Stateful Inspection to inspect PFCP traffic. When you
enable stateful inspection for PFCP traffic, the firewall inspects
the traffic between the MEC and the remote or central site to help
prevent attacks such as Denial of Service (DoS) or spoofing. If you enable this option, Actions for GTP-U
End User IP Address Spoofing are not available. You can
specify the following state checks:
You can then specify the Action (Allow , Alert ,
or Block ) you want the firewall to take when
the check is unsuccessful. You can also select if you want
the firewall to create a log at the beginning or ending of the PFCP
associations or sessions. |
Correlation | |
UEIP Correlation | Enables correlation and mapping of subscriber ID and equipment ID to the User Equipment (UE) IP
address. |
Mode |
|
User Plane GTP-U Encapsulation | Based on your deployment, select whether you want to use
User Plane GTP-U Encapsulation :
|
Source | Select the source that you want the firewall to use to correlate the
control plane and user plane information for enforcement of
subscriber-level and equipment-level Security policy. The firewall
inspects traffic for the source type you select to process and
extracts 5G/4G identity information, such as subscriber ID (SUPI or
IMSI), equipment ID (PEI or IMEI), and the IP address of the user
equipment (UE), to correlate with 5G/4G subscriber IP traffic.
|
Log at UEIP Start | Log UEIP correlation events when the firewall allocates an IP address to the UE. |
Log at UEIP End | Log UEIP correlation events when the firewall
releases the allocated IP address. |
Filtering Options | |
RAT Filtering | All Radio Access Technologies (RAT) are allowed by default. GTP-C Create-PDP-Request and
Create-Session-Request messages are filtered or allowed based on the
RAT filter. You can specify whether to allow, block, or alert on the
following RAT that the user equipment uses to access the mobile core
network:
The following RATs are available when enabling 5G-HTTP2 :
|
IMSI Filtering | IMSI is a unique identification associated with a subscriber in GSM, UMTS, and LTE networks
provisioned in the Subscriber Identity Module (SIM) card. An IMSI is presented as a 15-digit number (8 bytes) but can be shorter. IMSI is composed of three
parts:
The IMSI
Prefix combines the MCC and MNC and allows you to allow , block ,
or alert GTP traffic from a specific PLMN.
By default all IMSI are allowed.You can either manually enter
or import a CSV file with IMSI or IMSI prefixes into the firewall.
The IMSI can include wildcards, for example, 310* or 240011*. The
firewall supports a maximum of 5,000 IMSI or IMSI prefixes. |
APN Filtering | The APN is a reference to a GGSN or PGW that user equipment requires to connect to the internet.
In 5G, one format of Data Network Name (DNN) is the APN. The APN is
composed of one or two identifiers:
All
APNs are allowed by default. The APN filter enables you to allow,
block, or alert GTP traffic based on the APN value. GTP-C Create-PDP-Request
and Create-Session-Request messages are filtered or allowed based
on the rules defined for APN filtering. You can manually add
or import an APN filtering list into the firewall. The value for
the APN must include the network ID or the domain name of the network
(for example, example.com) and, optionally, the operator ID. For
APN filtering, the wildcard '*' allows you to match for all APN.
A combination of '*' and other characters is not supported for wildcards.
For example, "internet.mnc* " is treated as a regular APN and will
not filter all entries that start with internet.mnc. The firewall
supports a maximum of 1,000 APN filters. |
GTP Tunnel Limit | |
Max Concurrent Tunnels Allowed per Destination | Limit the maximum number of GTP-U tunnels to a destination IP address; for example, to the GGSN
(range is 0–100,000,000 tunnels) |
Alert at Max Concurrent Tunnels per Destination | Specify the threshold at which the firewall
triggers an alert when the number of maximum GTP-U tunnels to a
destination have been established. A GTP log message of high severity
is generated when the configured tunnel limit is reached. |
Logging frequency | Specify the number of events that the firewall counts before it generates a log when the
configured GTP tunnel limits are exceeded. This setting allows you
to reduce the volume to messages logged (range is 0 to 100,000,000;
default is 100). |
Overbilling Protection | Select the virtual system that serves as the Gi/ SGi firewall on your firewall. The Gi/ SGi
firewall inspects the mobile subscriber IP traffic traversing over
the Gi/ SGi interface from the PGW or GGSN to the external PDN
(packet data network) such as the internet and secures internet
access for mobile subscribers. Overbilling can occur when a GGSN assigns a previously used IP address from the End User IP
address pool to a mobile subscriber. When a malicious server on the
internet continues to send packets to this IP address as it did not
close the session initiated for the previous subscriber and the
session is still open on the Gi firewall. To disallow data from
being delivered, whenever a GTP tunnel is deleted (detected by
delete-PDP or delete-session message) or timed-out, the firewall
enabled for overbilling protection notifies the Gi/ SGi firewall to
delete all the sessions that belong to the subscriber from the
session table. GTP Security and SGi/ Gi firewall should be
configured on the same physical firewall, but can be in different
virtual systems. To delete sessions based on GTP-C events, the
firewall needs to have all the relevant session information and this
is possible only when you manage traffic from the SGi + S11 or S5
interfaces for GTPv2 and Gi + Gn interfaces for GTPv1 in the mobile
core network. |
Other Log Settings By
default the firewall does not log allowed GTP or PFCP messages.
You can selectively enable logging of allowed GTP and PFCP messages
for troubleshooting when needed as it will generate high volume
of logs. In addition to allowed log messages, this tab also allows
you to selectively enable logging of user location information. | |
GTPv1-C Allowed Messages | Log allowed GTPv1-C messages if you have enabled stateful inspection for GTPv1-C. These messages
help you troubleshoot issues. By default, the firewall does not log allowed
messages. The logging options for allowed GTPv1-C messages are:
|
Log User Location | Include the user location information, such as area code and Cell ID, in GTP logs. |
Packet Capture | Capture GTP events. |
GTPv2-C Allowed Messages | Selectively enable logging of the allowed GTPv2-C messages if you enabled stateful inspection for
GTPv2-C. These messages generate logs to help you troubleshoot
issues as needed. By default, the firewall does not log allowed
messages. The logging options for allowed GTPv2-C messages are:
|
GTP-U Allowed Messages | Selectively enable logging of the allowed GTP-U messages if you enable stateful inspection for
GTPv2-C or GTPv1-C. These messages generate logs to help you
troubleshoot issues as needed. The logging options for allowed
GTP-U messages are:
|
G-PDU Packets Logged per New GTP-U Tunnel | Verify that the firewall is inspecting GTP-U PDUs. The firewall generates a log for the specified
number of G-PDU packets in each new GTP-U tunnel (range is 1–10;
default is 1). |
5G-C Allowed Messages | Select N11 to selectively
enable logging of allowed N11 messages. N11 messages help you with troubleshooting
and provide deeper visibility into the HTTP/2 messages exchanged
over an N11 interface for different procedures. This field is available
only if you enabled 5G-HTTP2 on the 5G-C tab
in the Mobile Network Protection profile. |
PFCP Allowed Messages | Selectively enable logging of the allowed PFCP messages if you enable stateful inspection for
PFCP. These messages help you troubleshoot issues. The logging options for allowed PFCP messages
are:
|