End-of-Life (EoL)
Configure 5G Network Slice Security
Configure 5G network slice security.
After you’ve read about 5G Network Slice Security, prepare
to configure network slice security. Gather the IP addresses of
the following devices in your topology so that you can use these
addresses in Security policy rules controlling traffic to and from
these devices:
- gNodeB (gNB)
- Access and Mobility Management Function (AMF)
- Session Management Function (SMF)
- User Plane Function (UPF)
- Enable GTP security.
- Select. SelectDeviceSetupManagementGeneral SettingsGTP Security.
- ClickOK.
- Committhe change.
- SelectandDeviceSetupOperationsReboot Device.
- Enable inspection of 5G HTTP/2 control packets; create a Mobile Network Protection profile.
- Select.ObjectsSecurity ProfilesMobile Network Protection
- Adda profile byName, for example, 5G Mobile security.
- Enter aDescription.
- On theGTP Inspectiontab, select5G-C.
- Enable5G-HTTP2to enable inspection of 5G HTTP/2 control packets.
- SelectGTP-Uand enableGTP-U Content Inspectionto correlate context from 5G HTTP/2 control packets (Subscriber IDs and Equipment IDs) to IP user traffic inside a GTP-U tunnel.
- SelectFiltering OptionsandRAT Filtering; for example, you can allowNR(New Radio) and block other RATs.
- SelectIMSI FilteringandAddone or moreIMSI Prefix(es) with the desired action.
- SelectAPN FilteringandAddone or moreAPNs with the desired action.
- (Optional) To troubleshoot, selectOther Log Settingsand select 5G Allowed MessagesN11(the HTTP/2 control messages). You can also enable GTP-U Allowed Messages forTunnel Management,Path Management, andG-PDU. You canLog User Location.
- ClickOK.
- Create address objects for the IP addresses assigned to the network elements in your topology, such as the AMF on the N11 interface, the gNB on the N3 interface, the SMF on the N11 interface, and the UPF on the N3 interface.
- Create a Security policy rule that applies your Mobile Network Protection profile to application traffic.
- SelectandPoliciesSecurityAdda Security policy rule byName.
- SelectSourcetab andAddaSource Zoneor selectAny.
- ForSource Address,Addthe address objects for the 5G element endpoints on the N3 and N11 interfaces that you want to allow.
- ForDestination,AddtheDestination Addressaddress objects for the 5G element endpoints on the N3 and N11 interfaces that you want to allow (the same ones you allowed for Source Address).
- AddtheApplicationsto allow, such as the user plane, which isgtp-uandweb-browsing, which has HTTP/2.
- On theActionstab, select theAction, such asAllow.
- Select theMobile Network Protectionprofile you created.
- Select other profiles you want to apply, such asVulnerability Protection.
- Select Log Settings, such asLog at Session StartandLog at Session End.
- ClickOK.
- Create another Security policy rule based on Network Slices, for example, to allow applications for a standardized or operator-specific SST.
- SelectandPoliciesSecurityAdda Security policy rule byName.
- SelectSourceandAddone or moreNetwork Slicesin either of the following formats:
- Standardized SST (selecteMBB,MIoT, orURLLC).
- Operator-specific SSTs in the format oftext,number(number range is 128 to 255, in decimal). (The number appears in hexadecimal in logs.)
- (Optional) You can addSource SubscriberandSource Equipmentnames to this Security policy rule to make the rule more restrictive.
- SpecifySource Zone,Source Address,Source User, andSource Device, or use the defaultAnysetting for each.
- SpecifyDestination Zone,Destination Address, andDestination Device, or use the defaultAnysetting for each.
- ForApplications, select, for example,modbusandweb-browsing.
- On theActionstab, select theAction, such asAllow.
- Select profiles you want to apply, such asAntivirus,Vulnerability Protection,Anti-Spyware,URL Filtering,File Blocking, andWildFire Analysis.
- Select Log Settings, such asLog at Session StartandLog at Session End.
- ClickOK.
- Commit.
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.