Configure 5G Network Slice Security

Configure 5G network slice security.
After you’ve read about 5G Network Slice Security, prepare to configure network slice security. Gather the IP addresses of the following devices in your topology so that you can use these addresses in Security policy rules controlling traffic to and from these devices:
  • gNodeB (gNB)
  • Access and Mobility Management Function (AMF)
  • Session Management Function (SMF)
  • User Plane Function (UPF)
  1. Enable GTP security.
    1. Select
      Device
      Setup
      Management
      General Settings
      . Select
      GTP Security
      .
    2. Click
      OK
      .
    3. Commit
      the change.
    4. Select
      Device
      Setup
      Operations
      and
      Reboot Device
      .
  2. Enable inspection of 5G HTTP/2 control packets; create a Mobile Network Protection profile.
    1. Select
      Objects
      Security Profiles
      Mobile Network Protection
      .
    2. Add
      a profile by
      Name
      , for example, 5G Mobile security.
    3. Enter a
      Description
      .
    4. On the
      GTP Inspection
      tab, select
      5G-C
      .
    5. Enable
      5G-HTTP2
      to enable inspection of 5G HTTP/2 control packets.
    6. Select
      GTP-U
      and enable
      GTP-U Content Inspection
      to correlate context from 5G HTTP/2 control packets (Subscriber IDs and Equipment IDs) to IP user traffic inside a GTP-U tunnel.
    7. Select
      Filtering Options
      and
      RAT Filtering
      ; for example, you can allow
      NR
      (New Radio) and block other RATs.
    8. Select
      IMSI Filtering
      and
      Add
      one or more
      IMSI Prefix
      (es) with the desired action.
    9. Select
      APN Filtering
      and
      Add
      one or more
      APN
      s with the desired action.
    10. (
      Optional
      ) To troubleshoot, select
      Other Log Settings
      and select 5G Allowed Messages
      N11
      (the HTTP/2 control messages). You can also enable GTP-U Allowed Messages for
      Tunnel Management
      ,
      Path Management
      , and
      G-PDU
      . You can
      Log User Location
      .
    11. Click
      OK
      .
  3. Create address objects for the IP addresses assigned to the network elements in your topology, such as the AMF on the N11 interface, the gNB on the N3 interface, the SMF on the N11 interface, and the UPF on the N3 interface.
  4. Create a Security policy rule that applies your Mobile Network Protection profile to application traffic.
    1. Select
      Policies
      Security
      and
      Add
      a Security policy rule by
      Name
      .
    2. Select
      Source
      tab and
      Add
      a
      Source Zone
      or select
      Any
      .
    3. For
      Source Address
      ,
      Add
      the address objects for the 5G element endpoints on the N3 and N11 interfaces that you want to allow.
    4. For
      Destination
      ,
      Add
      the
      Destination Address
      address objects for the 5G element endpoints on the N3 and N11 interfaces that you want to allow (the same ones you allowed for Source Address).
    5. Add
      the
      Applications
      to allow, such as the user plane, which is
      gtp-u
      and
      web-browsing
      , which has HTTP/2.
    6. On the
      Actions
      tab, select the
      Action
      , such as
      Allow
      .
    7. Select the
      Mobile Network Protection
      profile you created.
    8. Select other profiles you want to apply, such as
      Vulnerability Protection
      .
    9. Select Log Settings, such as
      Log at Session Start
      and
      Log at Session End
      .
    10. Click
      OK
      .
  5. Create another Security policy rule based on Network Slices, for example, to allow applications for a standardized or operator-specific SST.
    1. Select
      Policies
      Security
      and
      Add
      a Security policy rule by
      Name
      .
    2. Select
      Source
      and
      Add
      one or more
      Network Slices
      in either of the following formats:
      • Standardized SST (select
        eMBB
        ,
        MIoT
        , or
        URLLC
        ).
      • Operator-specific SSTs in the format of
        text,number
        (number range is 128 to 255, in decimal). (The number appears in hexadecimal in logs.)
    3. (
      Optional
      ) You can add
      Source Subscriber
      and
      Source Equipment
      names to this Security policy rule to make the rule more restrictive.
    4. Specify
      Source Zone
      ,
      Source Address
      ,
      Source User
      , and
      Source Device
      , or use the default
      Any
      setting for each.
    5. Specify
      Destination Zone
      ,
      Destination Address
      , and
      Destination Device
      , or use the default
      Any
      setting for each.
    6. For
      Applications
      , select, for example,
      modbus
      and
      web-browsing
      .
    7. On the
      Actions
      tab, select the
      Action
      , such as
      Allow
      .
    8. Select profiles you want to apply, such as
      Antivirus
      ,
      Vulnerability Protection
      ,
      Anti-Spyware
      ,
      URL Filtering
      ,
      File Blocking
      , and
      WildFire Analysis
      .
    9. Select Log Settings, such as
      Log at Session Start
      and
      Log at Session End
      .
    10. Click
      OK
      .
  6. Commit
    .

Recommended For You