End-of-Life (EoL)
Configure 5G Equipment ID Security
Configure 5G equipment ID security.
After you’ve read about 5G Equipment ID and Subscriber ID Security, prepare
to configure equipment ID security. Gather the IP addresses of the
following devices in your topology so that you can use these addresses
in Security policy rules controlling traffic to and from these devices:
- gNodeB (gNB)
- Access and Mobility Management Function (AMF)
- Session Management Function (SMF)
- User Plane Function (UPF)
- Enable GTP security.
- Select. SelectDeviceSetupManagementGeneral SettingsGTP Security.
- ClickOK.
- Committhe change.
- SelectandDeviceSetupOperationsReboot Device.
- Enable inspection of 5G HTTP/2 control packets and content inspection of GTP-U packets; create a Mobile Network Protection profile.
- Select.ObjectsSecurity ProfilesMobile Network Protection
- Adda profile byName, for example, 5G Mobile security.
- Enter aDescription.
- On theGTP Inspectiontab, select5G-C.
- Enable5G-HTTP2to enable inspection of 5G HTTP/2 control packets.
- SelectGTP-Uand enableGTP-U Content Inspectionto correlate context from 5G HTTP/2 control packets (Subscriber IDs and Equipment IDs) to IP user traffic inside a GTP-U tunnel.
- SelectFiltering OptionsandRAT Filtering; for example, you can allowNR(New Radio) and block other RATs.
- (Optional) SelectOther Log SettingsandLog User Location.
- (Optional) To troubleshoot, selectOther Log Settingsand select 5G Allowed MessagesN11(the HTTP/2 control messages). You can also enable GTP-U Allowed Messages forTunnel Management,Path Management, andG-PDU.
- ClickOK.
- Create address objects for the IP addresses assigned to the network elements in your topology, such as the AMF on the N11 interface, the gNB on the N3 interface, the SMF on the N11 interface, and the UPF on the N3 interface.
- (Optional) Create an External Dynamic List (EDL) of TypeEquipment Identity List; theSourceof the list provides access to a server that provides identifiers of devices connected to the 5G network, for which you want to allow (or deny) traffic.
- Create a Security policy rule that applies your Mobile Network Protection profile to application traffic.
- SelectandPoliciesSecurityAdda Security policy rule byName.
- SelectSourcetab andAddaSource Zoneor selectAny.
- ForSource Address,Addthe address objects for the 5G element endpoints on the N3 and N11 interfaces that you want to allow.
- ForDestination,AddtheDestination Addressaddress objects for the 5G element endpoints on the N3 and N11 interfaces that you want to allow (the same ones you allowed for Source Address).
- AddtheApplicationsto allow, such as the user plane, which isgtp-uandweb-browsing, which has HTTP/2.
- On theActionstab, select theAction, such asAllow.
- Select theMobile Network Protectionprofile you created.
- Select other profiles you want to apply, such asVulnerability Protection.
- Select Log Settings, such asLog at Session StartandLog at Session End.
- ClickOK.
- Create another Security policy rule based on Equipment ID.
- SelectandPoliciesSecurityAdda Security policy rule byName, for example, Equipment ID Security.
- SelectSourcetab andAddaSource Zoneor selectAny.
- Addone or moreSource EquipmentIDs in any of the following formats (if you configured an EDL, specify that EDL in this step):
- 5G Permanent Equipment Identifier (PEI) including IMEI
- IMEI (15 or 16 digits)
- IMEI prefix of eight digits for Type Allocation Code (TAC)
- EDL that specifies IMEIs
- (Optional) You can addSource SubscriberandNetwork Slicenames to this Security policy rule to make the rule more restrictive.
- SpecifyDestination Zone,Destination Address, andDestination DeviceasAny.
- AddtheApplicationsto allow, for example,ssh,ssl,radmin, andtelnet.
- On theActionstab, select theAction, such asAllow.
- Select profiles you want to apply, such asAntivirus,Vulnerability Protection, andAnti-Spyware.
- Select Log Settings, such asLog at Session StartandLog at Session End.
- ClickOK.
- Commit.
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.