Next-Generation Firewall
Objects > Security Profiles > Mobile Network Protection
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
-
-
-
-
-
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
-
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1
Objects > Security Profiles > Mobile Network Protection
The Mobile Network Protection profile enables the firewall to inspect GPRS tunneling
protocol (GTP) traffic in 4G networks and Packet Forwarding Control Protocol (PFCP) or
HTTP/2 traffic in 5G networks. To view this profile, you must enable GTP Security in
Device > Setup >
Management.
Use the options in this profile to enable stateful inspection of:
- 5G HTTP/2
- GTP v1-C
- GTP v2-C
- GTP-U
- PFCP
GTP Inspection Profile Settings | |
---|---|
GTP Inspection | |
GTP-C
|
|
GTP-U
|
Enabling stateful inspection for GTPv1-C, GTPv2-C, or both
automatically enables GTP-U stateful inspection.
You can specify the following validity checks for GTP-U payloads.
You can also configure an allow, block, or alert action for:
|
5G-C
|
For 5G, enable 5G-HTTP2 to enable inspection
of 5G HTTP/2 control packets, which can contain subscriber IDs,
equipment IDs, and network slice information. This allows you to
correlate subscriber ID (IMSI), equipment ID (IMEI), and network
slice ID information learned from HTTP/2 messages with the IP
traffic encapsulated in GTP-U packets.
Enabling 5G-HTTP2 disables GTP-C for the
profile.
|
PFCP
|
For PFCP, enable Stateful Inspection to
inspect PFCP traffic. When you enable stateful inspection for PFCP
traffic, the firewall inspects the traffic between the MEC and the
remote or central site to help prevent attacks such as Denial of
Service (DoS) or spoofing.
If you enable this option, Actions for GTP-U End User IP Address
Spoofing are not available. You can specify the following state checks:
You can then specify the Action
(Allow, Alert, or
Block) you want the firewall to take when
the check is unsuccessful.
You can also select if you want the firewall to create a log at the
beginning or ending of the PFCP associations or sessions.
|
Correlation | |
UEIP Correlation
|
Enables correlation and mapping of subscriber ID and equipment ID to
the User Equipment (UE) IP address.
|
Mode
|
|
User Plane GTP-U Encapsulation | Based on your deployment, select whether you want to use
User Plane GTP-U Encapsulation:
|
Source
|
Select the source that you want the firewall to use to correlate the
control plane and user plane information for enforcement of
subscriber-level and equipment-level Security policy. The firewall
inspects traffic for the source type you select to process and
extracts 5G/4G identity information, such as subscriber ID (SUPI or
IMSI), equipment ID (PEI or IMEI), and the IP address of the user
equipment (UE), to correlate with 5G/4G subscriber IP traffic.
|
Log at UEIP Start
|
Log UEIP correlation events when the firewall allocates an IP address
to the UE.
|
Log at UEIP End
|
Log UEIP correlation events when the firewall releases the allocated
IP address.
|
Filtering Options | |
RAT Filtering
|
All Radio Access Technologies (RAT) are allowed by default. GTP-C
Create-PDP-Request and Create-Session-Request messages are filtered
or allowed based on the RAT filter. You can specify whether to
allow, block, or alert on the following RAT that the user equipment
uses to access the mobile core network:
The following RATs are available when enabling
5G-HTTP2:
|
IMSI Filtering
|
IMSI is a unique identification associated with a subscriber in GSM,
UMTS, and LTE networks provisioned in the Subscriber Identity Module
(SIM) card.
An IMSI is presented as a 15-digit number (8 bytes) but can be
shorter. IMSI is composed of three parts:
The IMSI Prefix combines the MCC and MNC and
allows you to allow,
block, or alert
GTP traffic from a specific PLMN. By default all IMSI are
allowed.
You can either manually enter or import a CSV file with IMSI or IMSI
prefixes into the firewall. The IMSI can include wildcards, for
example, 310* or 240011*.
The firewall supports a maximum of 5,000 IMSI or IMSI prefixes.
|
APN Filtering
|
The APN is a reference to a GGSN or PGW that user equipment requires
to connect to the internet. In 5G, one format of Data Network Name
(DNN) is the APN. The APN is composed of one or two identifiers:
All APNs are allowed by default. The APN filter enables you to allow,
block, or alert GTP traffic based on the APN value. GTP-C
Create-PDP-Request and Create-Session-Request messages are filtered
or allowed based on the rules defined for APN filtering.
You can manually add or import an APN filtering list into the
firewall. The value for the APN must include the network ID or the
domain name of the network (for example, example.com) and,
optionally, the operator ID.
For APN filtering, the wildcard '*' allows you to match for all APN.
A combination of '*' and other characters is not supported for
wildcards. For example, "internet.mnc* " is treated as a regular APN
and will not filter all entries that start with internet.mnc.
The firewall supports a maximum of 1,000 APN filters.
|
GTP Tunnel Limit | |
Max Concurrent Tunnels Allowed per Destination
|
Limit the maximum number of GTP-U tunnels to a destination IP
address; for example, to the GGSN (range is 0–100,000,000
tunnels)
|
Alert at Max Concurrent Tunnels per Destination
|
Specify the threshold at which the firewall triggers an alert when
the number of maximum GTP-U tunnels to a destination have been
established. A GTP log message of high severity is generated when
the configured tunnel limit is reached.
|
Logging frequency
|
Specify the number of events that the firewall counts before it
generates a log when the configured GTP tunnel limits are exceeded.
This setting allows you to reduce the volume to messages logged
(range is 0 to 100,000,000; default is 100).
|
Overbilling Protection
|
Select the virtual system that serves as the Gi/ SGi firewall on your
firewall. The Gi/ SGi firewall inspects the mobile subscriber IP
traffic traversing over the Gi/ SGi interface from the PGW or GGSN
to the external PDN (packet data network) such as the internet and
secures internet access for mobile subscribers.
Overbilling can occur when a GGSN assigns a previously used IP
address from the End User IP address pool to a mobile subscriber.
When a malicious server on the internet continues to send packets to
this IP address as it did not close the session initiated for the
previous subscriber and the session is still open on the Gi
firewall. To disallow data from being delivered, whenever a GTP
tunnel is deleted (detected by delete-PDP or delete-session message)
or timed-out, the firewall enabled for overbilling protection
notifies the Gi/ SGi firewall to delete all the sessions that belong
to the subscriber from the session table. GTP Security and SGi/ Gi
firewall should be configured on the same physical firewall, but can
be in different virtual systems. To delete sessions based on GTP-C
events, the firewall needs to have all the relevant session
information and this is possible only when you manage traffic from
the SGi + S11 or S5 interfaces for GTPv2 and Gi + Gn interfaces for
GTPv1 in the mobile core network.
|
Other Log Settings By default the
firewall does not log allowed GTP or PFCP messages. You can
selectively enable logging of allowed GTP and PFCP messages for
troubleshooting when needed as it will generate a high volume of
logs. In addition to allowed log messages, this tab also allows you
to selectively enable logging of user location
information. | |
GTPv1-C Allowed Messages
|
Log allowed GTPv1-C messages if you have enabled stateful inspection
for GTPv1-C. These messages help you troubleshoot issues.
By default, the firewall does not log allowed messages. The logging
options for allowed GTPv1-C messages are:
|
Log User Location
|
Include the user location information, such as area code and Cell ID,
in GTP logs.
|
Packet Capture
|
Capture GTP events.
|
GTPv2-C Allowed Messages
|
Selectively enable logging of the allowed GTPv2-C messages if you
enabled stateful inspection for GTPv2-C. These messages generate
logs to help you troubleshoot issues as needed.
By default, the firewall does not log allowed messages. The logging
options for allowed GTPv2-C messages are:
|
GTP-U Allowed Messages
|
Selectively enable logging of the allowed GTP-U messages if you
enable stateful inspection for GTPv2-C or GTPv1-C. These messages
generate logs to help you troubleshoot issues as needed.
The logging options for allowed GTP-U messages are:
|
G-PDU Packets Logged per New GTP-U Tunnel
|
Verify that the firewall is inspecting GTP-U PDUs. The firewall
generates a log for the specified number of G-PDU packets in each
new GTP-U tunnel (range is 1–10; default is 1).
|
5G-C Allowed Messages
|
Select N11 to selectively enable logging of
allowed N11 messages. N11 messages help you with troubleshooting and
provide deeper visibility into the HTTP/2 messages exchanged over an
N11 interface for different procedures. This field is available only
if you enabled 5G-HTTP2 on the
5G-C tab in the Mobile Network Protection
profile.
|
PFCP Allowed Messages
|
Selectively enable logging of the allowed PFCP messages if you enable
stateful inspection for PFCP. These messages help you troubleshoot
issues.
The logging options for allowed PFCP messages are:
|