: Mobile Network Infrastructure Feature Support
Focus
Focus

Mobile Network Infrastructure Feature Support

Table of Contents

Mobile Network Infrastructure Feature Support

Review the Palo Alto Networks Next-Generation Firewall models and PAN-OS® software versions that support GTP, SCTP, 5G, PFCP, and RADIUS Security, as well as 3GPP Technical Standards.
Review the lists of Specific Palo Alto Networks firewall models and PAN-OS® software versions that support GTP, SCTP, 5G, PFCP, and RADIUS Security, as well as 3GPP Technical Standards:

PAN-OS Releases by Model that Support GTP, SCTP, and 5G Security

The following table lists which firewall models and PAN-OS software versions support the following security methods:
  • General Packet Radio Service (GPRS) Tunnelling Protocol (GTP) security
  • Stream Control Transmission Protocol (SCTP) security
  • 5G security
Firewall Model
PAN-OS 9.1 (GTP and SCTP)
PAN-OS 10.1 (GTP, SCTP, and 5G)
PAN-OS 10.2 (GTP, SCTP, and 5G)
PAN-OS 11.0 (GTP, SCTP, and 5G)
PAN-OS 11.1 (GTP, SCTP, and 5G)
PAN-OS 11.2 (GTP, SCTP, and 5G)
VM-Series Firewalls
CN-Series Firewalls*
PA-7500 Firewalls (Standalone only)
PA-7000 Series Firewalls that use three of the following cards**:
  • PA-7000-100G-NPC card;
  • PA-7000-LFC-A card; and
  • PA-7050-SMC-B card
    OR
    PA-7080-SMC-B card
PA-5410, PA-5420, and PA-5430 Firewalls
PA-5440 Firewalls
PA-5445 Firewalls
PA-5450 Firewalls
PA-5200 Series Firewalls
PA-3430 and PA-3440 Firewalls
* CN-Series Daemonset mode supports GTP, SCTP, and 5G security in PAN-OS 10.1 and later PAN-OS versions. Additionally, CN-Series firewalls running PAN-OS 10.2 and later PAN-OS versions support GTP, SCTP, and 5G security in both K8s cloud-native network (CNF) mode and Daemonset mode.
** To verify that your PA-7000 Series firewall is installed with the cards that support GTP and SCTP, use the show chassis inventory CLI command. However, it is possible that cards are installed but are not functional if your firewall does not account for all dependencies. Refer to the PA-7000 Series Firewall Hardware Reference for installation instructions and to review the dependencies for each card.

PAN-OS Releases by Model that Support Intelligent Security Correlation (PFCP, RADIUS, and GTP)

The following table lists which firewall models and PAN-OS software versions support Intelligent Security Correlation:
  • Packet Forwarding Control Protocol (PFCP)
  • Remote Authentication Dial-In User Service (RADIUS)
  • General Packet Radio Service (GPRS) Tunnelling Protocol (GTP)
Firewall Model
PAN-OS 11.0 (PFCP* and RADIUS**)
PAN-OS 11.1 (PFCP and RADIUS
PAN-OS 11.2 (PFCP, RADIUS, and GTP)
VM-Series Firewalls
CN-Series Firewalls
PA-7000 Series Firewalls that use three of the following cards***:
  • PA-7000-100G-NPC card;
  • PA-7000-LFC-A card; and
  • PA-7050-SMC-B card
    OR
    PA-7080-SMC-B card
PA-5410, PA-5420, PA-5430, PA-5440, and PA-5450 Firewalls
PA-5445 Firewalls
PA-5200 Series Firewalls
PA-3430 and PA-3440 Firewalls
* In PAN-OS 11.0, we support only 4G CUPS architecture for Intelligent Security with PFCP.
** We support Intelligent Security with RADIUS in PAN-OS 11.0.2 and all later PAN-OS versions.
*** To verify that your PA-7000 Series firewall is installed with the cards that support PFCP, RADIUS, and GTP, use the show chassis inventory CLI command. However, it is possible that cards are installed but are not functional if your firewall does not account for all dependencies. Refer to the PA-7000 Series Firewall Hardware Reference for installation instructions and to review the dependencies for each card.

3GPP TS References for GTP Security

3GPP TS references for GTP security on firewalls that support GTP security.
Protocol3GPP TS3GPP TS Release
PAN-OS 10.2
PAN-OS 10.1
GTPv2-C
29.274
Up to 15.2
GTPv1-C
29.060
Up to 15.5.0
GTP-U
29.281
Up to 15.0.0
43.129
15.0.0
23.401
15.12.0
PAN-OS 9.1
GTPv2-C
29.274
Up to 15.2
GTPv1-C
29.060
Up to 15.1
GTP-U
29.281
Up to 15.0.0
GTPv2-C
29.274
Up to 13.4
GTPv1-C
29.060
Up to 13.4
GTP-U
29.281
Up to 13.0

3GPP TS References for 5G Security

3GPP Technical Standards references for 5G network slice, 5G subscriber ID, and 5G equipment ID security on firewalls that support GTP security.
  • Procedures for the 5G System (5GS)
  • 5GS Session Management Services
3GPP TS3GPP TS Release
PAN-OS 10.2
PAN-OS 10.1
23.502
Up to 15.5.0
29.502
Up to 15.4.0

3GPP TS References for 5G Multi-Edge Security

5G Multi-Edge Security supports Packet Forwarding Control Protocol (PFCP) messages over N4 interfaces for the following technical specifications in the 3GPP TS release:
  • Interface between the Control Plane and the User Plane nodes
3GPP Technical Standards reference for 5G Multi-Edge Security on firewalls that support 5G MEC Security:
3GPP TS3GPP TS Release
PAN-OS 10.2
PAN-OS 10.1
29.244
Up to 16.5.0

3GPP TS References for UE-to-IP Address Correlation with PFCP in 4G

The below table provides the 3GPP Technical Standards reference for firewalls that leverage User Equipment (UE)-to-IP Address Correlation using the Packet Forwarding Control Protocol (PFCP) for 4G network traffic.
3GPP TS3GPP TS Release
PAN-OS 11.0
23.214
Up to 16.2.0
29.244
Up to 16.9.1