GTP comprises control plane (GTP-C), user plane (GTP-U), and charging (GTP' derived from GTP-C) traffic transferred on UDP/IP. View the PAN-OS releases by model that support GTP and the 3GPP Technical Standards that GTPv1-C, GTPv2-C, and GTP-U support.

Enabling GTP security on Palo Alto Networks^® firewalls allows you to protect the mobile core network infrastructure from malformed GTP packets, denial of service attacks, and out-of-state GTP messages, and also allows you to protect mobile subscribers from spoofed IP packets and overbilling attacks.

GTPv1-C is defined in 3GPP TS 29.060. It is used on a Gn interface, that is, the interface between GPRS support nodes (GSNs) within a public land mobile network (PLMN), and also across a Gp interface between GSNs in different PLMNs. It is also used for roaming and inter access mobility between Gn/Gp SGSNs and mobility management entities (MMEs). GTPv1-C carries various types of control plane signaling messages. The registered port number for GTPv1-C is 2123.

GTPv2-C is defined in 3GPP TS 29.274. It is used on various EPC (Evolved Packet Core) signaling interfaces, such as S5, S8, and S11. GTPv2-C carries various types of control plane signaling messages. The registered port number for GTPv2-C is 2123.

GTP-U is defined in 3GPP TS 29.281. It encapsulates and routes user plane traffic across multiple signaling interfaces such as S1, S5, and S8. GTP-U messages are either user plane or signaling messages. The registered port number for GTP-U is 2152.

NAT is not supported for GTP tunnel IP addresses with GTP stateful inspection.

Continue to GTP Deployments and Configure GTP Stateful Inspection.