RAN Security

GTP deployment on a firewall includes Radio Access Network (RAN) security.
When you deploy a firewall for Radio Access Network (RAN) security, the firewall inspects the traffic that flows between the (BH) Backhaul and the EPC. The firewall is deployed mostly on S1-U and S11 interfaces to inspect both GTPv2-C and GTP-U traffic.
When you configure GTP security for RAN, you should also configure SCTP security for RAN as described in SCTP Use Cases.
If you deploy the firewall for RAN security in a mobile network that uses both 3G and 4G/LTE technologies, the firewall supports a deployment option that enforces GTP security in network topologies that contain a combo node of a Serving Gateway (SGW) and Packet Gateway (PGW) known as S-PGW. In this network topology, the S5 interface is not exposed, so to support migration between 3G and 4G/LTE, PAN-OS uses the Gn (SGSN-MME) interface.
GTP security supports the following procedures as defined in 3GPP TS 23.401 version 15.12.0:
  • MME to 3G SGSN combined hard handover and SRNS relocation procedure
  • 3G SGSN to MME combined hard handover and SRNS relocation procedure
  • Routing Area Update
  • Gn/Gp SGSN to MME Tracking Area Update
  • E-UTRAN to GERAN A/Gb mode Inter RAT handover
  • GERAN A/Gb mode to E-UTRAN Inter RAT handover
To view the GTP messages that the firewall generates to support this capability when you enable
Tunnel Management
for
GTPv1-C allowed messages
, refer to GTP Message Type.
In the following network topology, to apply security policy to user and control traffic, the firewall must be positioned on the 4G/LTE interfaces, including the Control Plane (S11) and User Plane (S1-U), as well as the 3G interfaces which include the Control Plane (Gn [SGSN-MME]) and the Control and User Plane (Gn [SGSN-GGSN]). You must enable enable GTP Security for complete subscriber level and equipment level visibility and policy control for threat and traffic in their network.

Recommended For You