Configure 4G Subscriber ID Security

Secure your 4G traffic with Security policy rules that specify source subscriber identifiers.
Configure network security based on the subscriber identity of a user who is trying to access your 4G network.
Before you begin configuring 4G Subscriber ID Security, gather the IP addresses of the following devices in your topology so that you can use them as source and destination addresses in Security policy rules controlling traffic to and from these devices:
  • eNodeB (eNB)
  • Mobility Management Entity (MME)
  • Serving Gateway (SGW)
  • Packet Gateway (PGW)
  1. Enable GTP Security.
    1. Select
      Device
      Setup
      Management
      General Settings
      . Select
      GTP Security
      .
    2. Click
      OK
      .
    3. Commit
      the change.
    4. Select
      Device
      Setup
      Operations
      and
      Reboot Device
      .
  2. Enable inspection of 4G GTPv2-C control packets and content inspection of GTP-U packets; create a Mobile Network Protection profile.
    1. Select
      Objects
      Security Profiles
      Mobile Network Protection
      .
    2. Add
      a profile by
      Name
      , for example, 4G Mobile security.
    3. Enter a
      Description
      .
    4. On the
      GTP Inspection
      tab, select
      GTP-C
      .
    5. Enable
      GTPv2-C Stateful Inspection
      to enable inspection of GTPv2 control packets.
      4g-mobile-net-profile.png
    6. Select
      GTP-U
      and enable
      GTP-U Content Inspection
      to correlate context from 4G GTPv2-C control packets (Subscriber IDs and Equipment IDs) to IP user traffic inside a GTP-U tunnel.
      4g-mobile-net-profile-gtpu.png
    7. Select
      Filtering Options
      and
      RAT Filtering
      ; for example, you can allow
      UTRAN
      ,
      GERAN
      ,
      HSPA EVOLUTION
      ,
      EUTRAN
      ,
      EUTRAN-NB-IOT
      , and
      LTE-M
      and block other RATs.
      4g-rat-filter.png
    8. (
      Optional
      ) Select
      Other Log Settings
      and
      Log User Location
      .
    9. (
      Optional
      ) To troubleshoot, select
      Other Log Settings
      and select GTPv2-C Allowed Messages for
      Tunnel Management
      ,
      Path Management
      , and
      Others
      . You can also enable GTP-U Allowed Messages for
      Tunnel Management
      ,
      Path Management
      , and
      G-PDU
      .
    10. Click
      OK
      .
  3. Create address objects for the IP addresses assigned to the network elements in your topology, such as in deployment option 1: the MME on the S11 interface, the eNB on the S1-U interface, and the SGW on the S1-U and S11 interface; or deployment option 2: the SGW on the S5/S8 interface and PGW on the S5/S8 interface.
  4. (
    Optional
    ) Create an External Dynamic List (EDL) of Type
    Subscriber Identity List
    ; the
    Source
    of the list provides access to a server that provides identifiers of users connected to the 4G network, for which you want to allow traffic.
  5. Create a Security policy rule that applies your Mobile Network Protection profile to application traffic.
    1. Select
      Policies
      Security
      and
      Add
      a Security policy rule by
      Name
      .
    2. Select
      Source
      tab and
      Add
      a
      Source Zone
      or select
      Any
      .
    3. For
      Source Address
      ,
      Add
      the address objects for the 4G network elements that you want to allow.
      4g-sec-pol-sources.png
    4. For
      Destination
      ,
      Add
      the
      Destination Address
      address objects for the 4G network elements that you want to allow.
    5. Add
      the
      Applications
      to allow, such as
      gtp-u
      for user plane and
      gtpv2-c
      for control plane traffic.
    6. On the
      Actions
      tab, select the
      Action
      , such as
      Allow
      .
    7. Select the
      Mobile Network Protection
      profile you created.
      4g-actions-mobile-net-protection.png
    8. Select Log Settings, such as
      Log at Session Start
      and
      Log at Session End
      .
    9. Click
      OK
      .
  6. Create another Security policy rule based on Subscriber ID.
    1. Select
      Policies
      Security
      and
      Add
      a Security policy rule by
      Name
      , for example, Subscriber ID Security.
    2. Select
      Source
      tab and
      Add
      a
      Source Zone
      or select
      Any
      .
    3. Add
      one or more
      Source Subscriber
      IDs in any of the following formats (if you configured an EDL, specify that EDL in this step):
      • IMSI (14 or 15 digits)
      • Range of IMSI values separated by a hyphen. In a range, only the 11th digit through the 15th digit of the IMSI can change from the start of the range to the end of the range; for example, 111111111111122-111111111119999.
      • IMSI prefix of six digits, with an asterisk (*) as the wildcard after the prefix; for example, 926789*
      • External dynamic list (EDL) that specifies IMSIs
    4. (
      Optional
      ) You can add
      Source Equipment
      identities to this Security policy rule to make the rule more restrictive.
    5. Specify
      Destination Zone
      ,
      Destination Address
      , and
      Destination Device
      as
      Any
      .
    6. Add
      the
      Applications
      to allow, for example,
      youtube
      ,
      facebook
      ,
      linkedin
      , and
      twitter
      .
      5g-subscriber-id-apps.png
    7. On the
      Actions
      tab, select the
      Action
      , such as
      Allow
      .
    8. Select profiles you want to apply, such as
      Antivirus
      ,
      Vulnerability Protection
      , and
      Anti-Spyware
      .
    9. Select Log Setting, such as
      Log at Session End
      .
    10. Click
      OK
      .
  7. Commit
    .

Recommended For You