Configure Intelligent Security using PFCP for User Equipment to IP Address Correlation
Table of Contents
PAN.OS 11.1 & Later
Expand all | Collapse all
-
- Intelligent Security and the UEIP Database
- Intelligent Security with PFCP for User Equipment to IP Address Correlation
- Configure Intelligent Security using PFCP for User Equipment to IP Address Correlation
- Configure Intelligent Security using RADIUS for User Equipment to IP Address Correlation
- Configure Intelligent Security using GTP for User Equipment to IP Address Correlation
Configure Intelligent Security using PFCP for User Equipment to IP Address
Correlation
If you use control plane and user plane separation (CUPS) architecture for migration from
4G to 5G, correlate user equipment (UE) to IP addresses using Intelligent Security.
The firewall monitors traffic for PFCP control messages on the N4 and Sxb interfaces and extracts
the User Equipment IP address (UE_IP) and Mobile User Identification (User_ID),
which it uses to map the UE_IP to the IMEI, the IMSI, or both. It adds the mapping
to a database and uses the mapping to perform GTP-U content inspection. You can
query the database for the UE_IP to view the correlated Mobile User information for
the UE Internet Protocol traffic inside the GTP-U tunnels that comprise the CUPS
architecture.
If you enable UEIP Correlation, the following options are
not available in the same Mobile Network Protection Profile:
- GTP-C
- 5G-C
- Packet Forwarding Control Protocol (PFCP)
To support correlation, the
PFCP control message must contain the UE_IP and related User ID
IE (Information Element).
- Enable GTP Security.
- Log in to the firewall web interface.
- Selectthen selectDeviceSetupManagementGeneral SettingsGTP Security.
- ClickOK.
- Committhe change.
- SelectandDeviceSetupOperationsReboot Device.
- Create a Mobile Network Protection Profile.
- SelectandObjectsSecurity ProfilesMobile Network ProtectionAdda new profile.
- Give the profile a uniqueName.
- SelectCorrelationand enableUEIP Correlation.
- Select theModeyou want to use.
- Loose—(Default) When the firewall detects traffic, it queries the source or destination address to find the correlated IMEI or IMSI information. If there are no results, the firewall forwards the traffic.
- Strict—Drops the traffic if the GTP-U query does not return any results.
- Based on your deployment, select whether you want to enable theUser Plane with GTP-U encapsulationoption.
- Enablethe option if the firewall is deployed on theN3/S1U interface.
- Disablethe option if the firewall is deployed on theSGi/N6 interface.
- SelectPFCPas theSource.Select theSourcethat you want the firewall to use to correlate the management plane and user plane information for subscriber-level and equipment-level Security policy enforcement. The firewall inspects traffic for the source type you select to process and extract 5G/4G identity information, such as subscriber ID (SUPI and IMSI), equipment ID (PEI and IMEI), and the IP address of the user equipment (UE), to correlate with 5G/4G subscriber Internet Protocol traffic.
- (Optional) Select whether you want to log UEIP correlation events when the firewall allocates an IP address to the UE (Log At Ueip Start), when the firewall releases the allocated IP address (Log At Ueip End), or both.The firewall logs the following GTP events during correlation that you can view by going to:MonitorLogsGTP
- UEIP mapping start
- UEIP mapping end
The logs contain the following user information:- Subscriber Identity (including IMSI and SUPI)
- Equipment Identity (including IMEI and PEI)
- End User IP address allocated to UE
- Access Point Name (APN)
- Radio Access Technology (RAT)
- MSISDN
- ClickOKto save your changes.
- Create a Security policy to identify and allow PFCP Traffic between SMF and UPF or PGW-C and PGW-U.There are two methods to define this policy based on deployment mode and the necessary level of security. Select the appropriate method based on your security needs.
- (Recommended for N6 or SGi deployments) Create a Security Policy to identify and allow PFCP application traffic. This policy allows all traffic between SMF and UPF Zone (or PGW-C and PGW-U), as well as UPF (or PGW-U) and Data Network Zones.
- SelectandPoliciesSecurityAdda uniqueNamefor the rule in theGeneraltab.
- In theSourcetab,AddtheSource ZoneasAny(or all zones for N4, N6, Sxb and SGi) and theSource AddressasAny.
- In theDestinationtab,AddtheDestination ZoneasAny(or all zones for N4, N6, Sxb and SGi) and theDestination AddressasAny.
- In theApplicationtab,AddPFCPas theApplicationyou want to allow.
- In theService/URL Categorytab, select theServiceasAny.
- In theActionstab, select theActionasAllow.
- Attach theMobile Network Protection profileto the Security policy rule by selectingProfilesand selecting the profile as theProfile Type.
- SelectLog at Session Endif it is not already selected.
- (Recommended for N3 or S1-U deployments; optional for N6 or SGi deployments) Create a specific Security Policy to match and allow PFCP Application Traffic between SMF and UPF (or PGW-C and PGW-U).
- SelectandPoliciesSecurityAdda uniqueNamefor the rule in theGeneraltab.
- In theSourcetab,AddtheSource ZoneandSource Addressof the interface that the SMF uses to communicate with the UPF (or PGW-C’s address to the PGW-U).
- In theDestinationtab,AddtheDestination ZoneandDestination Addressof the IP address for the UPF (or the PGW-U’s address for PGW-C).
- In theApplicationtab,AddPFCPas theApplicationyou want to allow.
- In theService/URL Categorytab, select theServiceasAny.
- In theActionstab, select theActionasAllow.
- Attach theMobile Network Protection profileto the Security policy rule by selectingProfilesand selecting the profile as theProfile Type.
- SelectLog at Session Endif it is not already selected.
- (Required for N6 or SGi deployments if you allow PFCP Application Traffic only between the SMF and UPF or the PGW-C and PGW-U) Create a custom application and a Security policy that uses the custom application.Because the firewall applies this policy rule first, it processes the first packet of all user traffic and enables UEIP database querying, move this policy rule above any other policy rules in your Security policy for user traffic on the N6 interface. Any application-specific or IMSI/IMEI-based policy rules must occur after this policy rule.
- SelectandObjectsApplicationsAdda uniqueNamefor the application (for example,pfcp-ueip).
- SelectandPoliciesSecurityAdda uniqueNamefor the policy rule.
- In theSourcetab,Addthe zone that contains traffic to the UPF as theSource Zoneand selectAnyas theSource Address. If you use an IP pool for the UE IP address, add the IP pool as theSource Address.Don't select anything in theSource SubscriberorSource Equipmenttabs.
- In theDestinationtab,Addthe zone that contains traffic to the Packet Data Network as theDestination Zoneand selectAnyas theDestination Address.
- In theService/URL Categorytab, selectAnyas theService.
- In theActionstab, selectAllowas theAction.
- Attach theMobile Network Protection profileto the Security policy rule by selectingProfilesand selecting the profile you created in step 4 as theProfile Type.
- SelectLog at Session Endif it is not already selected.
- (Recommended for N3 or S1-U deployments) Create Bi-directional Security Policies to match and allow GTP-U application traffic on the N3 interface.
- SelectandPoliciesSecurityAdda uniqueNamefor the rule in theGeneraltab.
- In theSourcetab,AddtheSource Zoneand theSource Addressof the base station and the UPF or SGW-U.
- In theDestinationtab,AddtheDestination Zoneand theDestination Addressof the base station and the UPF or SGW-U.
- In theApplicationtab,Addgtp-uas theApplicationyou want to allow.
- In theService/URL Categorytab, select theServiceasAny.
- In theActionstab, select theActionasAllow.
- Attach theMobile Network Protection profileto the Security policy rule by selectingProfilesand selecting the profile as theProfile Type.When the firewall identifies GTP-U traffic between the base station and the UPF or SGW-U, the firewall decapsulates the inner traffic from the UE and searches for the UEIP mapping in the correlation database.
- SelectLog at Session Endif it is not already selected.
- (Recommended for N6 or N3 deployments) Create other Security Policies based on data (such as IP address, application, URL category, or IMSI/IMEI) to identify and allow UE traffic.If your deployment requires IP Bases Deny Rules for UE traffic in N6 deployment mode, then move the deny rule above the rule created in step 4 to ensure the traffic logs contain the IMSI/IMEI correlation information.
- SelectandPoliciesSecurityAdda uniqueNamefor the rule in theGeneraltab.
- In theSourcetab,AddtheSource Zoneand theSource Addressyou want to allow. If you use an IP pool for the UE IP address, add the IP pool as theSource Address.
- AddtheSource Subscriberand theSource Equipmentyou want to allow.
- In theDestinationtab,AddtheDestination Zoneand theDestination Address. SelectAnyto allow internet access or specify the address of the servers in the corporate network or MEC site.
- In theApplicationtab,Addas theApplicationtypes you want to allow ( for exampledns,web-browsing, orSSL).
- In theService/URL Categorytab, select theServicetypes you want to allow.
- In theActionstab, select theActionyou want the firewall to take (AlloworDenythe traffic).
- SelectLog at Session Endif it is not already selected.
- (Recommended for N6 or SGi deployments if your policy allows all traffic between the SMF and UPF or PGW-C and PGW-U) Create a policy rule as the last rule in your policy to allow all traffic that did not match any other policy rule.This is strongly recommended for at least the initial stages of deployment.
- SelectandPoliciesSecurityAdda uniqueNamefor the rule in theGeneraltab.
- In theSourcetab,AddtheSource Zonefor communication between the UPF and N6 or the PGW-U and SGi. If you use an IP pool for the UE IP address, add the IP pool as theSource Address.
- AddtheSource Subscriberand theSource Equipmentyou want to allow.
- In theDestinationtab,AddtheDestination Zoneof the data network and theDestination AddressasAny.
- In theApplicationtab,Addas theApplicationtypes asAny.
- In theService/URL Categorytab, select theServicetype asAny.
- In theActionstab, selectAllowas theAction.
- Attach theMobile Network Protection profileto the Security policy rule by selectingProfilesand selecting the profile as theProfile Type.
- SelectLog at Session Endif it is not already selected.
- Confirm that the profile isEnabled() andPoliciesSecuritySecurity Policy RuleActionsProfile SettingMobile Network ProtectionCommitthe changes.
- Verify your configuration is correct.
- Verify the session traffic on the firewall logs using the following CLI commands.
- show session all filter application pfcp
- show session all filter application gtp-u
- show session all filter source<IP address of UE>
- Verify the mappings on the firewall displayradiusas the source (src) using theshow ueip allCLI command.
- View the GTP logs () and verify that theMonitorLogsGTPGTP Event TypedisplaysUEIP mapping startandUEIP mapping end.
- Verify the UE traffic logs () display the IMSI or IMEI in theMonitorLogsTrafficSubscriber Identitycolumn for the UE traffic.