: Configure 4G Subscriber ID Security
Focus
Focus

Configure 4G Subscriber ID Security

Table of Contents

Configure 4G Subscriber ID Security

Secure your 4G traffic with Security policy rules that specify source subscriber identifiers.
Configure network security based on the subscriber identity of a user who is trying to access your 4G network.
Before you begin configuring 4G Subscriber ID Security, gather the IP addresses of the following devices in your topology so that you can use them as source and destination addresses in Security policy rules controlling traffic to and from these devices:
  • eNodeB (eNB)
  • Mobility Management Entity (MME)
  • Serving Gateway (SGW)
  • Packet Gateway (PGW)
  1. Enable GTP Security.
    1. Select DeviceSetupManagementGeneral Settings. Select GTP Security.
    2. Click OK.
    3. Commit the change.
    4. Select DeviceSetupOperations and Reboot Device.
  2. Enable inspection of 4G GTPv2-C control packets and content inspection of GTP-U packets; create a Mobile Network Protection profile.
    1. Select ObjectsSecurity ProfilesMobile Network Protection.
    2. Add a profile by Name, for example, 4G Mobile security.
    3. Enter a Description.
    4. On the GTP Inspection tab, select GTP-C.
    5. Enable GTPv2-C Stateful Inspection to enable inspection of GTPv2 control packets.
    6. Select GTP-U and enable GTP-U Content Inspection to correlate context from 4G GTPv2-C control packets (Subscriber IDs and Equipment IDs) to IP user traffic inside a GTP-U tunnel.
    7. Select Filtering Options and RAT Filtering; for example, you can allow UTRAN, GERAN, HSPA EVOLUTION, EUTRAN, EUTRAN-NB-IOT, and LTE-M and block other RATs.
    8. (Optional) Select Other Log Settings and Log User Location.
    9. (Optional) To troubleshoot, select Other Log Settings and select GTPv2-C Allowed Messages for Tunnel Management, Path Management, and Others. You can also enable GTP-U Allowed Messages for Tunnel Management, Path Management, and G-PDU.
    10. Click OK.
  3. Create address objects for the IP addresses assigned to the network elements in your topology, such as in deployment option 1: the MME on the S11 interface, the eNB on the S1-U interface, and the SGW on the S1-U and S11 interface; or deployment option 2: the SGW on the S5/S8 interface and PGW on the S5/S8 interface.
  4. (Optional) Create an External Dynamic List (EDL) of Type Subscriber Identity List; the Source of the list provides access to a server that provides identifiers of users connected to the 4G network, for which you want to allow traffic.
  5. Create a Security policy rule that applies your Mobile Network Protection profile to application traffic.
    1. Select PoliciesSecurity and Add a Security policy rule by Name.
    2. Select Source tab and Add a Source Zone or select Any.
    3. For Source Address, Add the address objects for the 4G network elements that you want to allow.
    4. For Destination, Add the Destination Address address objects for the 4G network elements that you want to allow.
    5. Add the Applications to allow, such as gtp-u for user plane and gtpv2-c for control plane traffic.
    6. On the Actions tab, select the Action, such as Allow.
    7. Select the Mobile Network Protection profile you created.
    8. Select Log Settings, such as Log at Session Start and Log at Session End.
    9. Click OK.
  6. Create another Security policy rule based on Subscriber ID.
    1. Select PoliciesSecurity and Add a Security policy rule by Name, for example, Subscriber ID Security.
    2. Select Source tab and Add a Source Zone or select Any.
    3. Add one or more Source Subscriber IDs in any of the following formats (if you configured an EDL, specify that EDL in this step):
      • IMSI (14 or 15 digits)
      • Range of IMSI values separated by a hyphen. In a range, only the 11th digit through the 15th digit of the IMSI can change from the start of the range to the end of the range; for example, 111111111111122-111111111119999.
      • IMSI prefix of six digits, with an asterisk (*) as the wildcard after the prefix; for example, 926789*
      • External dynamic list (EDL) that specifies IMSIs
    4. (Optional) You can add Source Equipment identities to this Security policy rule to make the rule more restrictive.
    5. Specify Destination Zone, Destination Address, and Destination Device as Any.
    6. Add the Applications to allow, for example, youtube, facebook, linkedin, and twitter.
    7. On the Actions tab, select the Action, such as Allow.
    8. Select profiles you want to apply, such as Antivirus, Vulnerability Protection, and Anti-Spyware.
    9. Select Log Setting, such as Log at Session End.
    10. Click OK.
  7. Commit.