When deploying a Palo Alto Networks^® firewall to inspect SCTP traffic in a mobile network, you must determine the connection points or 3GPP interfaces in the network that you want the firewall to secure. SCTP is used across various evolved packet core (EPC) signaling interfaces, such as N2, S1-MME, S6a/S6d, S13/S13’ and S9. You can Configure SCTP Security on supported Palo Alto Networks firewall models by creating an SCTP Protection profile, which you attach to a Security policy rule for a zone; the SCTP Protection profile enforces the SCTP security capabilities.

A mobile network operator’s most common use cases for SCTP security are roaming security and radio access network (RAN) security. GTP Deployments also include roaming security and RAN security. The best practice is for you to configure both GTP and SCTP security when you have a roaming or a RAN security use case.

As a best practice, deploy the firewalls in a high availability (HA) active/passive configuration; SCTP security is not supported in an HA active/active configuration.

In this roaming security use case, the firewall inspects SCTP traffic that is exchanged between home and visitor networks, as shown in the following figure. (A legend of acronyms follows the figures.)

The dashed lines indicate an SCTP Association:

In each roaming association, a mobile network operator communicates with its roaming partners over a GSMA, GRX, or IPX network.

In the RAN security use case, the firewall inspects SCTP traffic that is exchanged over S1-MME and S6a interfaces, as shown in the following figure.

The orange dashed connection represents an SCTP association over an S1-MME interface between eNodeB and MME, and SCTP transports S1AP. The blue dashed connection represents an SCTP association over an S6a interface between MME and HSS, and SCTP transports the Diameter S6a application.

The green dashed connection represents an SCTP association over an N2 interface between 5G RAN and AMF, and SCTP transports NG Application protocol (NGAP).