Enabling stateful inspection for either GTPv1-C and/or GTPv2-C automatically enables GTPU-U stateful inspection.

You can specify the following validity checks for GTP-U payloads.

In addition you can also configure an allow, block or alert action for:

For 5G, enable 5G-HTTP2 to enable inspection of 5G HTTP/2 control packets, which can contain subscriber IDs, equipment IDs, and network slice information. This allows you to correlate subscriber ID (IMSI), equipment ID (IMEI), and network slice ID information learned from HTTP/2 messages with the IP traffic encapsulated in GTP-U packets.

Enabling 5G-HTTP2 disables GTP-C for the profile.

For Packet Forwarding Control Protocol (PFCP), enable Stateful Inspection to inspect PFCP traffic. When you enable stateful inspection for PFCP traffic, the firewall inspects the traffic between the MEC and the remote or central site to help prevent attacks such as Denial of Service (DOS) or spoofing.

You can specify the following state checks:

You can then specify the Action (Allow, Alert, or Block) you want the firewall to take when the check is unsuccessful.

You can also select if you want the firewall to create a log at the beginning or ending of the PFCP associations or sessions.

Enables correlation and mapping of subscriber ID and equipment ID to the User Equipment (UE) IP address.

Select the source that you want the firewall to use to correlate the control plane and user plane information for enforcement of subscriber-level and equipment-level security policy. The firewall inspects traffic for the source type you select to process and extract 5G/4G identity information, such as subscriber ID (SUPI or IMSI), equipment ID (PEI or IMEI) and the IP address of the user equipment (UE), to correlate with 5G/4G subscriber IP traffic.

Log UEIP correlation events when the firewall allocates an IP address to the UE.

Log UEIP correlation events when the firewall releases the allocated IP address.

All Radio Access Technologies (RAT) are allowed by default. GTP-C Create-PDP-Request and Create-Session-Request messages are filtered or allowed based on the RAT filter. You can specify whether to allow, block or alert on the following RAT that the user equipment uses to access the mobile core network:

The following RAT are available when enabling 5G-HTTP2:

IMSI (International Mobile Subscriber Identity) is a unique identification associated with a subscriber in GSM, UMTS and LTE networks that is provisioned in the Subscriber Identity Module (SIM) card.

An IMSI is usually presented as a 15-digit number (8 bytes) but can be shorter. IMSI is composed of three parts:

The IMSI Prefix combines the MCC and MNC and allows you to allow, block, or alert GTP traffic from a specific PLMN. By default all IMSI are allowed.

You can either manually enter or import a CSV file with IMSI or IMSI prefixes into the firewall. The IMSI can include wildcards, for example, 310* or 240011*.

The firewall supports a maximum of 5,000 IMSI or IMSI prefixes.

The Access Point Name (APN) is a reference to a GGSN/ PGW that user equipment requires to connect to the internet. In 5G, one format of Data Network Name (DNN) is the APN. The APN is composed of one or two identifiers:

All APNs are allowed by default. The APN filter enables you to allow, block, or alert GTP traffic based on the APN value. GTP-C Create-PDP-Request and Create-Session-Request messages are filtered or allowed based on the rules defined for APN filtering.

You can manually add or import an APN filtering list into the firewall. The value for the APN must include the network ID or the domain name of the network (for example, example.com) and, optionally, the operator ID.

For APN filtering, the wildcard '*' allows you to match for all APN. A combination of '*' and other characters is not supported for wildcards. For example, "internet.mnc* " is treated as a regular APN and will not filter all entries that start with internet.mnc.

The firewall supports a maximum of 1,000 APN filters.

Allows you to limit the maximum number of GTP-U tunnels to a destination IP address, for example to the GGSN (range is 0 to 100,000,000 tunnels)

Specify the threshold at which the firewall triggers an alert when the number of maximum GTP-U tunnels to a destination have been established. A GTP log message of high severity is generated when the configured tunnel limit is reached.

The number of events that the firewall counts before it generates a log when the configured GTP tunnel limits are exceeded. This setting allows you to reduce the volume to messages logged (range is 0 to 100,000,000; default is 100).

Select the virtual system that serves as the Gi/ SGi firewall on your firewall. The Gi/ SGi firewall inspects the mobile subscriber IP traffic traversing over the Gi/ SGi interface from the PGW/ GGSN to the external PDN (packet data network) such as the internet and secures internet access for mobile subscribers.

Overbilling can occur when a GGSN assigns a previously used IP address from the End User IP address pool to a mobile subscriber. When a malicious server on the internet continues to send packets to this IP address as it did not close the session initiated for the previous subscriber and the session is still open on the Gi firewall. To disallow data from being delivered, whenever a GTP tunnel is deleted (detected by delete-PDP or delete-session message) or timed-out, the firewall enabled for overbilling protection notifies the Gi/ SGi firewall to delete all the sessions that belong to the subscriber from the session table. GTP Security and SGi/ Gi firewall should be configured on the same physical firewall, but can be in different virtual systems. To delete sessions based on GTP-C events, the firewall needs to have all the relevant session information and this is possible only when you manage traffic from the SGi + S11 or S5 interfaces for GTPv2 and Gi + Gn interfaces for GTPv1 in the mobile core network.

Allows you to selectivity enable logging of the allowed GTPv1-C messages, if you have enabled stateful inspection for GTPv1?C. These messages generate logs to help you troubleshoot issues as needed.

By default, the firewall does not log allowed messages. The logging options for allowed GTPv1-C messages are:

Enables you to include the user location information, such as area code and Cell ID, in GTP logs.

Enables you to capture GTP events.

Enables you to selectively enable logging of the allowed GTPv2-C messages if you enabled stateful inspection for GTPv2-C. These messages generate logs to help you troubleshoot issues as needed.

By default, the firewall does not log allowed messages. The logging options for allowed GTPv2-C messages are:

Enables you to selectively enable logging of the allowed GTP-U messages if you enabled stateful inspection for GTPv2-C or GTPv1-C. These messages generate logs to help you troubleshoot issues as needed.

The logging options for allowed GTP-U messages are:

Enable this option to verify that the firewall is inspecting GTP-U PDUs. The firewall generates a log for the specified number of G-PDU packets in each new GTP-U tunnel (range is 1 to 10; default is 1).

Select N11 to selectively enable logging of allowed N11 messages. N11 messages help you with troubleshooting and provide deeper visibility into the HTTP/2 messages exchanged over an N11 interface for different procedures. This field is available only if you enabled 5G-HTTP2 on the 5G-C tab in the Mobile Network Protection profile.