Configure 5G Subscriber ID Security

1. Enable GTP security.
   1. Select DeviceSetupManagementGeneral Settings. Select GTP Security.
   2. Click OK.
   3. Commit the change.
   4. Select DeviceSetupOperations and Reboot Device.
2. Enable inspection of 5G HTTP/2 control packets; create a Mobile Network Protection profile.
   1. Select ObjectsSecurity ProfilesMobile Network Protection.
   2. Add a profile by Name, for example, 5G Mobile security.
   3. Enter a Description.
   4. On the GTP Inspection tab, select 5G-C.
   5. Enable 5G-HTTP2 to enable inspection of 5G HTTP/2 control packets.

   6. Select GTP-U and enable GTP-U Content Inspection to correlate context from 5G HTTP/2 control packets (Subscriber IDs and Equipment IDs) to IP user traffic inside a GTP-U tunnel.
   7. Select Filtering Options and RAT Filtering; for example, you can allow NR (New Radio) and block other RATs.

   8. (Optional) Select Other Log Settings and Log User Location.
   9. (Optional) To troubleshoot, select Other Log Settings and select 5G Allowed Messages N11 (the HTTP/2 control messages). You can also enable GTP-U Allowed Messages for Tunnel Management, Path Management, and G-PDU.
   10. Click OK.
3. Create address objects for the IP addresses assigned to the network elements in your topology, such as the AMF on the N11 interface, the gNB on the N3 interface, the SMF on the N11 interface, and the UPF on the N3 interface.
4. (Optional) Create an External Dynamic List (EDL) of Type Subscriber Identity List; the Source of the list provides access to a server that provides identifiers of IoT devices connected to the 5G network, for which you want to allow (or deny) traffic.
5. Create a Security policy rule that applies your Mobile Network Protection profile to application traffic.
   1. Select PoliciesSecurity and Add a Security policy rule by Name.
   2. Select Source tab and Add a Source Zone or select Any.
   3. For Source Address, Add the address objects for the 5G element endpoints on the N3 and N11 interfaces that you want to allow.

   4. For Destination, Add the Destination Address address objects for the 5G element endpoints on the N3 and N11 interfaces that you want to allow (the same ones you allowed for Source Address).
   5. Add the Applications to allow, such as the user plane, which is gtp-u and web-browsing, which has HTTP/2.
   6. On the Actions tab, select the Action, such as Allow.
   7. Select the Mobile Network Protection profile you created.
   8. Select other profiles you want to apply, such as Vulnerability Protection.
   9. Select Log Settings, such as Log at Session Start and Log at Session End.
   10. Click OK.
6. Create another Security policy rule based on Subscriber ID.
   1. Select PoliciesSecurity and Add a Security policy rule by Name, for example, Equipment ID Security.
   2. Select Source tab and Add a Source Zone or select Any.
   3. Add one or more Source Subscriber IDs in any of the following formats (if you configured an EDL, specify that EDL in this step):
      • 5G Subscriber Permanent Identifier (SUPI) including IMSI
      • IMSI (14 or 15 digits)
      • Range of IMSI values separated by a hyphen. In a range, only the 11th digit through the 15th digit of the IMSI can change from the start of the range to the end of the range; for example, 111111111111122-111111111119999.
      • IMSI prefix of six digits, with an asterisk (*) as the wildcard after the prefix
      • EDL that specifies IMSIs

   4. (Optional) You can add Source Equipment and Network Slice names to this Security policy rule to make the rule more restrictive.
   5. Specify Destination Zone, Destination Address, and Destination Device as Any.
   6. Add the Applications to allow, for example, ssh, ssl, radmin, and telnet.
   7. On the Actions tab, select the Action, such as Allow.
   8. Select profiles you want to apply, such as Antivirus, Vulnerability Protection, and Anti-Spyware.
   9. Select Log Settings, such as Log at Session Start and Log at Session End.
   10. Click OK.
7. Commit.