Configure Intelligent Security using PFCP for User Equipment to IP Address Correlation

As mobile service providers migrate from 4G/LTE to 5G, management plane (also referred to as the control plane) and user plane separation (CUPS) architecture is a common deployment in 4G networks. With CUPS architecture, the user plane function (UPF) is closer to the enterprise (either on the edge service or in an on-premises location) while the management plane remains in a central location, such as a data center.

Subscriber ID (IMSI) and equipment ID (IMEI) correlation requires inspection of both management plane and user plane traffic by the same firewall. During migration to a CUPS architecture, UEIP Correlation (also referred to as Intelligent Security) provides a way to ensure uninterrupted Security policy enforcement through correlation of the subscriber ID and equipment ID to user equipment (UE) IP-based traffic and GTP-U content inspection.

For a solution for 5G networks, refer to 5G Multi-access Edge Computing Security.

The firewall monitors traffic for PFCP control messages at the Sxb interface and extracts the User Equipment IP address (UE_IP) and Mobile User Identification (User_ID), which it uses to map the UE_IP to the IMEI, the IMSI, or both. It adds the mapping to a database and uses the mapping to perform GTP-U content inspection. You can query the database for the UE_IP to view the correlated Mobile User information for the UE Internet Protocol traffic inside the GTP-U tunnels that comprise the CUPS architecture.

If you enable UEIP Correlation, the following options are not available in the same Mobile Network Protection Profile:

• GTP-C
• 5G-C
• Packet Forwarding Control Protocol (PFCP)

The following diagram represents a possible configuration for correlation for a 4G MEC topology using CUPS architecture:

S1-U represents a 3GPP interface that connects a 4G radio access network (RAN) to the serving gateway user plane (SGW-U) and PDN gateway user plane (PGW-U) combo node using the GTP-U protocol. The management plane (Sxb) is a 3GPP interface that connects the PGW-U in the MEC location to the PGW-C in the 4G core at the central location (such as a public cloud or on-premises data center) using the PFCP protocol.

The SGI is also a 3GPP interface that connects the PGW-U to the external network (such as the internet or enterprise IT data center) using traditional IP-based interfaces.

In this topology, you can deploy the firewall as external to the MEC host in a hardware form factor or deploy the firewall on an MEC host in a virtual or container form factor.

To enforce Security policy based on subscriber ID or equipment ID for a 4G MEC-based enterprise, position the firewall on the user plane (S1-U) and management plane (Sxb) interfaces at the MEC location.

The firewall inspects the management plane to extract information for correlation with the user plane, providing subscriber and equipment-level visibility, as well as policy control for vulnerabilities, malware, viruses, URLs, C2, and applications at the SP’s MEC location.

To support correlation, the PFCP control message must contain the UE_IP and related User ID IE (Information Element).

1. Select ObjectsSecurity ProfilesMobility Network Protection.
2. Add or Edit a profile.
3. Select Correlation and enable UEIP Correlation.

4. Select the handling Mode to define the action if a query for the correlated information isn't successful.
   • Loose—(Default) When the firewall detects GTP-U inner traffic, it queries the source or destination address to find the correlated IMEI or IMSI information. If there are no results, the firewall forwards the traffic.
   • Strict—Drops the traffic if the GTP-U query does not return any results.

5. Select the Source that you want the firewall to use correlate the management plane and user plane information for subscriber-level and equipment-level Security policy enforcement. The firewall inspects traffic for the source type you select to process and extract 5G/4G identity information, such as subscriber ID (SUPI or IMSI), equipment ID (PEI or IMEI), and the IP address of the user equipment (UE), to correlate with 5G/4G subscriber IP traffic.
   • PFCP— Inspect PFCP traffic.
     For deployments using CUPS, select PFCP.

6. (Optional but recommended) Select whether you want to log UEIP correlation events when the firewall allocates an IP address to the UE (Log At Ueip Start), when the firewall releases the allocated IP address (Log At Ueip End), or both.
   The firewall logs the following GTP events during correlation that you can view by going to MonitorLogsGTP:

   • UEIP mapping start
   • UEIP mapping end

   The logs contain the following user information:

   • Subscriber Identity (including IMSI and SUPI)
   • Equipment Identity (including IMEI and PEI)
   • End User IP address allocated to UE

7. Click OK to save your changes.
8. (Optional but recommended) To configure security policy for the control or management plane (Sxb) interface using the Mobile Network Protection Profile, enable stateful inspection for GTP traffic.
9. Confirm that the profile is Enabled (PoliciesSecuritySecurity Policy RuleActionsProfile SettingMobile Network Protection) to attach it to the security policy for the user plane external (S1U) interface and Commit the changes.
10. To configure security policy for inner traffic from applications, use App-IDs to configure the Mobile Network Protection Profile in a Security policy and allow the necessary traffic to correlate the IP address with the subscriber ID and equipment ID.
    1. Using App-ID, configure a Security policy rule for the Sxb interface that allows PFCP traffic between the Sxb nodes (PGW-C and PGW-U) and select the Mobile Network Protection Profile you configured as the Profile Setting (traffic can originate from either endpoint).
    2. Using App-ID, configure a Security policy rule for the S1-U interface that allows GTP-U traffic between the S1-U nodes (eNodeB and SGW-U) and select the Mobile Network Protection Profile you configured as the Profile Setting  (traffic can originate from either endpoint).