>
    5G Traffic Testing
    Focus
    Download PDF
    Focus
    1. Home
    2. CN-Series
    3. CN-Series HSF
    4. CN-Series HSF: Use Cases
    5. 5G Traffic Testing
    Download PDF
    CN-Series

    5G Traffic Testing

    Table of Contents

    5G Traffic Testing

    Where Can I Use This?What Do I Need?
    • CN-Series deployment
    • CN-Series 10.1.x or above Container Images
    • Panorama running PAN-OS 10.1.x or above version
    • Helm 3.6 or above version client
    Securing the network edge requires balancing traffic inspection and control (security requirements) with high bandwidth, low latency, and real-time access (user experience). These issues are exponentially more difficult if traffic is processed by many firewalls, if applications are hosted on edge sites, or if the network edge is an aggregation point for IoT data. Additionally, the separation of the user and the control plane in 5G networks makes it difficult to apply security policy at the subscriber or device level and lacks context-based visibility for threats. Firewalls placed with N3 and N4 interface provide:
    • Signaling level visibility between connected devices
    • Stateful inspection of PFCP & GTP-U
    • Correlate subscriber ID/ Equipment-ID /Slice-ID with GTP-U traffic vulnerabilities
    The following are the 5g traffic use cases for CN-Series HSF:
    The following diagram illustrates an enterprise that uses a private 5G network. The 5G core functions are cloud-based or in the central site of the service provider. The connection between the 5G access and the UPF uses the N3 interface. The GTP-U tunnels carry the user plane traffic on the N3 interface. The connection between the UPF and the Session Management Function (SMF) uses the N4 interface. The PFCP protocol exchanges packet forwarding rules using UDP exchanges on the N4 interface.
    This diagram illustrates MEC in a 5G network where the User Plane Function (UPF) is at the edge or MEC location and the 5G core functions are cloud-based or at the central site of the service provider. The connection between the 5G access and the UPF uses the N3 interface and the GTP-U tunnels carry the user plane traffic over the N3 interface. The connection between UPF and the SMF uses the N4 interface and the PFCP protocol exchanges packet forwarding rules using UDP over the N4 interface.

    5G Security with N3+N4 Visibility and Correlation Policy

    This test case evaluates the ability of the CNF cluster to inspect and secure the traffic from N3+N4 interfaces.
    1. As a first step towards inspecting and securing the traffic from N3+N4 interfaces, you will need to enable GTP Security.
      1. Log in to the firewall web interface.
      2. Select DeviceSetupManagementGeneral Settings and Select GTP-U Security.
      3. Click OK.
      4. Commit the change.
      5. Select DeviceSetupOperations and Reboot Device.
    2. Create a Mobile Network Protection Profile and enable GTP-U inspection.
      1. Select ObjectsSecurity ProfilesMobile Network Protection.
      2. Add a profile and enter a Name, such as 5G_Mobile_Network_Protection.
      3. On the PFCP tab, enable Stateful Inspection.
    3. Select which state checks you want the firewall to perform on PFCP traffic and the action you want the firewall to take if a state check is not successful.
      1. Determine the state checks you want to use.
        • Check Association Messages—Checks for any PFCP association messages that are out of order or that have been rejected.
        • Check Session Messages—Checks for any PFCP session messages that are out of order or that have been rejected; verifies that all PFCP session messages match an existing PFCP association; alerts or drops PFCP session messages that arrive before the PFCP association is set up.
        • Check Sequence Number—Confirms that the sequence number in the PFCP response matches the sequence number in the preceding PFCP request message.
      2. Select the action you want the firewall to take if a state check is not successful.
        • allow—Allow the traffic and do not generate a log entry in the GTP log.
        • block—Block the traffic and generate a high-severity log entry in the GTP log.
        • alert—(Default) Allow the traffic and generate a high-severity log entry in the GTP log.
    4. (Optional) Configure logging for PFCP inspection.
      1. Select when you want the firewall to generate a log entry.
        • Log at PFCP association start
        • Log at PFCP association end
        • Log at PFCP session start
        • Log at PFCP session end
    5. Enable the Other log settings for PFCP and GTP-U messages
      1. On the Other Log Settings tab, select the type of PFCP Allowed Messages you want to include in the logs.
        Enable these options for troubleshooting only.
        • Session Establishment—These PFCP messages set up the session, including establishing the GTP-U tunnel.
        • Session Modification—These PFCP messages are sent if the session ID or PDR ID changes (for example, as a result of moving from a 4G to a 5G network. It includes messages such as PFCP Session Modification Request and PFCP Session Modification Response.
        • Session Deletion—These PFCP messages terminate the PFCP session, including releasing associated resources.
    6. Create two security policies with source and destination as N3 and N4 interfaces, Application as GTP-U and PFCP respectively.
      1. Select PoliciesSecurity and Add a Security policy rule by Name.
      2. Select Source tab and Add a Source Zone or select Any.
      3. For Source Address, Add the address objects for the 5G element endpoints on the N3 interface.
      4. For Destination, Add the Destination Address address objects for the 5G element endpoints on the N3 interface.
      5. Add the Applications to allow, such as the user plane, which is GTP-U and PFCP.
      6. On the Actions tab, select the Action, such as Allow.
      7. Select the Mobile Network Protection profile you created.
      8. Select other profiles you want to apply, such as Vulnerability Protection.
      9. Select Log Settings, such as Log at Session Start and Log at Session End.
      10. Click OK.
      11. Similarly, create another security policy for N4 interface.
    7. (Optional) Create another Security policy rule based on Equipment ID/Subscriber ID/Network Slice ID, based protection by entering the EDL information in source.
      1. Select PoliciesSecurity and Add a Security policy rule by Name, for example, Equipment ID Security.
      2. Select Source tab and Add a Source Zone or select Any.
      3. Add one or more Source Equipment IDs in any of the following formats:
        • 5G Permanent Equipment Identifier (PEI) including IMEI
        • IMEI (15 or 16 digits)
        • IMEI prefix of eight digits for Type Allocation Code (TAC)
        • EDL that specifies IMEIs
      4. (Optional) You can add Source Subscriber and Network Slice names to this Security policy rule to make the rule more restrictive.
      5. Specify Destination Zone, Destination Address, and Destination Device as Any.
      6. Add the Applications to allow, for example, ssh, ssl, radmin, and telnet.
      7. On the Actions tab, select the Action, such as Allow.
      8. Select profiles you want to apply, such as Antivirus, Vulnerability Protection, and Anti-Spyware.
      9. Select Log Settings, such as Log at Session Start and Log at Session End.
      10. Click OK.
        Expected Test Result:
        • Verify the GTP-U logs in the monitor section.
        • Verify the details section of the log, for visibility into subscriber, equipment, network slice information.
        • Observe that the Rule hitcount increases.

    Inbound/Oubound Protection with Application Identification and Threat Inspection

    This test case evaluates the ability for the CNF cluster to inspect and secure the inbound and outbound traffic on N6 interface.
    The N6 interface carries clear text traffic over TCP/UDP towards the internet. Now, with the VM-Series firewall deployed on the N6 interface, you can get complete visibility into application usage. .The firewall can implement security with CDSS subscription like - TP, Adv-URL Filtering, Wildfire, DNS security on allowed traffic.
    The following steps are an outline to execute this test case. For details on executing individual steps, see 5G Security with N3+N4 Visibility and Correlation Policy.
    1. Create a security policy for N6 interface with appropriate zones and interface.
    2. Use the default security profiles or create a custom category for URL filtering, wildfire, vulnerability protection and so on.
    3. (Optional) Create a custom profile for allowed URL Under the URL category.
    4. (Optional) Create multiple security policies matching different criterias. While creating the security policy, select the profiles created in step 3.
    5. Send Traffic.
    6. Send malicious traffic in inbound / outbound directions and verify if the traffic is blocked.
      Expected Result:
      • Hit count of the policy increases.
      • Check the appropriate logs for URL filtering, Traffic, and threat logs.

    © 2024 Palo Alto Networks, Inc. All rights reserved.