User Equipment (UE) to IP Address Correlation with PFCP for 4G

As mobile service providers migrate from 4G/LTE to 5G, control and user plane separation (CUPS) architecture is a common deployment in 4G networks. With CUPS architecture, the User Plane Function (UPF) is closer to the enterprise (either on the edge service or in an on-premises location) while the control plane remains in a central location, such as a data center.

Subscriber ID (IMSI) and equipment ID (IMEI) correlation requires inspection of both control plane and user plane traffic by the same firewall. UEIP Correlation provides a way to ensure uninterrupted security policy enforcement during migration to a CUPS architecture through correlation of the subscriber ID and equipment ID to user equipment (UE) IP-based traffic and GTP-U content inspection.

For a solution for 5G networks, refer to 5G Multi-access Edge Computing Security.

The firewall monitors traffic for PFCP control messages at the Sxb interface and extracts the User Equipment IP Address (UE_IP) and Mobile User Identification (User_ID), which it uses to map the UE_IP to the IMEI, the IMSI, or both. It adds the mapping to a database which it distributes to other data planes and uses the mapping to perform GTP-U content inspection. You can query the database for the UE_IP to view the correlated Mobile User information for the UE IP traffic inside the GTP-U tunnels that comprise the CUPS architecture.

The following diagram represents a possible configuration for correlation for a 4G MEC topology using CUPS architecture:

S1-U represents a 3GPP interface that connects a 4G Radio Access Network (RAN) to the serving gateway user plane (SGW-U) and PDN gateway user plane (PGW-U) combo node using the GTP-U protocol. The control plane (Sxb) is a 3GPP interface that connects the PGW-U in the MEC location to the PGW-C in the 4G core at the central location (such as a public cloud or on-premises data center) using the PFCP protocol.

The SGI is also a 3GPP interface that connects the PGW-U to the external network (such as the internet or enterprise IT data center) using traditional IP-based interfaces.

In this topology, you can deploy the firewall as external to the MEC host in a hardware form factor or deploy the firewall on an MEC host in a virtual or container form factor.

To enforce security policy based on Subscriber ID or Equipment ID for a 4G MEC-based enterprise, position the firewall on the user plane (S1-U) and control plane (Sxb) interfaces at the MEC location.

The firewall inspects the control plane to extract information for correlation with the user plane, providing subscriber and equipment-level visibility, as well as policy control for vulnerabilities, malware, viruses, URLs, C2, and applications at the SP’s MEC location.

To support correlation, the PFCP control message must contain the UE_IP and related User ID IE (Information Element).

The following platforms support UEIP Correlation:

• VM Series
• CN Series
• PA-3430 and PA-3440
• PA-5410, PA-5420, PA-5430, and PA-5440

If you enable UEIP Correlation, the following options are not available in the same Mobile Network Protection Profile:

• GTP-C
• 5G-C
• PFCP

1. Select ObjectsSecurity ProfilesMobility Network Protection.
2. Add or Edit a profile.
3. Select Correlation and enable UEIP Correlation.

4. Select the handling Mode to define the action if a query for the correlated information is not successful.
   • Loose—(Default) When the firewall detects GTP-U inner traffic, it queries the source or destination address to find the correlated IMEI/IMSI information. If there are no results, the firewall forwards the traffic.
   • Strict—Drops the GTP-U traffic if the query fails.

5. Select PFCP as the Source.
   For deployments using CUPS, select PFCP.

6. (Optional) Select whether you want to log UEIP correlation events when the firewall allocates an IP address to the UE (Log At Ueip Start), when the firewall releases the allocated IP address (Log At Ueip End), or both.

7. Click OK to save your changes.
8. (Optional but recommended) Enable stateful inspection for GTP traffic.
9. Confirm that the profile is Enabled (PoliciesSecuritySecurity Policy RuleActionsProfile SettingMobile Network Protection) and Commit the changes.
10. Use App-IDs to configure the Mobile Network Protection Profile in a security policy to decapsulate the GTP-U tunnels and correlate the IP address with the Subscriber ID and Equipment ID.
    1. Using App-ID, configure a security policy rule for the Sxb interface that allows PFCP traffic between the Sxb nodes (PGW-C and PGW-U) and select the Mobile Network Protection Profile you configured as the Profile Setting (traffic can originate from either endpoint).
    2. Using App-ID, configure a security policy rule for the S1-U interface that allows GTP-U traffic between the S1-U nodes (eNodeB and SGW-U) and select the Mobile Network Protection Profile you configured as the Profile Setting  (traffic can originate from either endpoint).