Mobile Network Protection Profile
Table of Contents
Expand all | Collapse all
Mobile Network Protection Profile
Use these fields to create a Mobile Network Protection
profile to define how the firewall inspects, validates, and filters
GTP traffic.
The Mobile Network Protection profile (ObjectsSecurity ProfilesMobile Network Protection)
enables the firewall to inspect GTP traffic. The options in the
profile allow you to enable stateful inspection of GTPv1-C and GTPv2-C,
enable protocol validation for GTPv1-C, GTPv2-C, and GTP-U, and enable
GTP-U content inspection to scan user data within GTP-U tunnels.
The options also allow you to filter GTP sessions based on APN,
IMSI-Prefix, and RAT, and prevent end-user IP address spoofing to
protect the mobile subscribers from being overbilled.
To Configure
GTP Stateful Inspection, you must attach the Mobile Network
Protection profile to a Security policy rule for a zone.
Field | Description |
---|---|
GTP Inspection | |
GTP-C |
NAT
for outer GTP sessions is not supported with GTP stateful inspection. |
GTP-U | Enabling Stateful Inspection for GTPv1-C and/or GTPv2-C automatically
enables GTP-U stateful inspection. You
can specify the following validity checks for GTP-U payloads and Block or Alert upon
a validity check failure:
You can also allow, block or alert on:
|
GTP-U (cont) | Enable GTP-U Content Inspection if
you want to inspect and apply policy to the user data payload within
a GTP-U packet. Inspecting GTP-U content allows you to correlate
IMSI and IMEI information learned from GTP-C messages with the IP
traffic encapsulated in GTP-U packets. You don’t need
a Tunnel Content Inspection policy to perform content inspection
inside GTP-U tunnels if you use a GTP Protection profile and enable GTP-U
Content Inspection. GTP-U inner sessions
do not support decryption, NAT, or policy-based forwarding (PBF). |
5G-C | For 5G, enable 5G-HTTP2 to
enable inspection of 5G HTTP/2 control packets, which can contain
subscriber IDs, equipment IDs, and network slice information. This
allows you to correlate subscriber ID (IMSI), equipment ID (IMEI),
and network slice ID information learned from HTTP/2 messages with
the IP traffic encapsulated in GTP-U packets. Enabling 5G-HTTP2 disables
GTP-C for the profile. |
PFCP | For Packet Forwarding Control Protocol (PFCP), enable Stateful
Inspection to inspect PFCP traffic. When you enable
stateful inspection for PFCP traffic, the firewall inspects the
traffic between the MEC and the remote or central site to help prevent attacks
such as Denial of Service (DOS) or spoofing. If you enable
this option, Actions for GTP-U End User IP Address Spoofing are
not available. You can specify the following state checks:
You can then specify the Action (Allow, Alert,
or Block) you want the firewall to take when
the check is unsuccessful. You can also select if you want
the firewall to create a log at the beginning or ending of the PFCP
associations or sessions. |
Filtering Options | |
RAT Filtering | By default all Radio Access Technologies
(RAT) are allowed. GTP-C Create-PDP-Request and Create-Session-Request
messages are filtered or allowed based on the RAT filter. You can
specify whether to allow, block or alert on
the following Remote Access Technologies (RAT) that the user equipment
uses to access the mobile core network:
|
IMSI Filtering | IMSI (International Mobile Subscriber Identity)
is a unique identification associated with a subscriber in GSM, UMTS
and LTE networks that is provisioned in the Subscriber Identity
Module (SIM) card. An IMSI is usually presented as a 15-digit
number (8 bytes), but can be shorter. IMSI has three parts:
The IMSI
Prefix combines the MCC and MNC and allows you to allow, block,
or alert on GTP traffic from a specific PLMN.
By default all IMSI are allowed. You can either manually enter
or import a csv file with IMSI or IMSI prefixes into the firewall.
The IMSI can include a wildcard, for example, 310* or 240011*. The firewall
supports a maximum of 5,000 IMSI or IMSI prefixes. |
APN Filtering | The Access Point Name (APN) is a reference
to a GGSN/ PGW that a user equipment requires to connect to the
internet. The APN is composed of two parts:
By
default all APNs are allowed. The APN filter allows you to allow, block,
or alert on GTP traffic based on the APN
value. GTP-C Create-PDP-Request and Create-Session-Request messages
are filtered or allowed based on the rules defined for APN filtering. You
can manually add or import an APN filtering list into the firewall.
The value for the APN must include the network ID or the domain
name of the network (for example, example.com) and, optionally,
the operator ID. For APN filtering, the wildcard (*) allows
you to match for all APN. A combination of * and other characters
is not supported for wildcards. For example, internet.mnc* will
be treated as regular APN and will not filter all entries that start
with internet.mnc. The firewall supports a maximum of 1,000
APN filters. |
GTP Tunnel Limit | |
Max Concurrent Tunnels Allowed per Destination | Allows you to limit the maximum number of
GTP-U tunnels to a destination IP address, for example, to the GGSN.
Range: 0 to 100,000,000 tunnels. |
Alert at Max Concurrent Tunnels per Destination | Specify the threshold at which the firewall
triggers an alert when the maximum number of GTP-U tunnels to a
destination has been established. A GTP log message of high severity
is generated when the configured tunnel limit is reached. |
Logging Frequency | The number of events that the firewall counts before
it generates a log when the configured GTP tunnel limits are exceeded.
This setting allows you to reduce the volume of messages logged.
Default: 100; range: 1 to 100,000,000 |
Overbilling Protection | Select the virtual system that serves as
the Gi/ SGi firewall on your firewall. The Gi/ SGi firewall inspects
the mobile subscriber IP traffic traversing the Gi/ SGi interface
from the PGW/ GGSN to the external PDN (packet data network) such
as the internet and secures internet access for mobile subscribers. Overbilling
can occur when a GGSN assigns a previously used IP address from
the End User IP address pool to a mobile subscriber. When a malicious
server on the internet continues to send packets to this IP address as
it did not close the session initiated for the previous subscriber
and the session is still open on the Gi Firewall. To disallow data
from being delivered, whenever a GTP tunnel is deleted (detected
by delete-PDP or delete-session message) or timed-out, the firewall enabled
for overbilling protection notifies the Gi/ SGi firewall to delete
all the sessions that belong to the subscriber from the session
table. GTP Security and SGi/ Gi firewall should be configured on
the same physical firewall, but can be in different virtual systems. In
order to delete sessions based on GTP-C events, the firewall needs
to have all the relevant session information and this is possible
only when you manage traffic from the SGi + S11 or S5 interfaces
for GTPv2 and Gi + Gn interfaces for GTPv1 in the mobile core network. |
Other Log Settings By
default the firewall does not log allowed GTP messages. You should
be selective if you enable logging of GTP Allowed Messages for
troubleshooting when needed, because such logging will generate
a high volume of logs. In addition to logging Allowed
Messages, this tab also allows you to selectively enable logging
of user location information. | |
GTPv1-C Allowed Messages | Allows you to selectively enable logging
of allowed GTPv1-C messages, if you have enabled Stateful
Inspection for GTPv1-C. These messages generate logs
to help you troubleshoot issues as needed. By default, the firewall does
not log allowed messages. The logging options for allowed GTPv1-C
messages are:
|
Log User Location | Allows you to include the user location
information (as area code and Cell ID) in GTP logs. |
Packet Capture | Enables you to capture GTP events. |
GTPv2-C Allowed Messages | Allows you to selectively enable logging
of the allowed GTPv2-C messages, if you have enabled Stateful
Inspection for GTPv2-C. These messages generate logs
to help you troubleshoot issues as needed. By default, the firewall does
not log allowed messages. The logging options for allowed GTPv2-C
messages are:
|
GTP-U Allowed Messages | Allows you to selectively enable logging
of the allowed GTP-U messages, if you have enabled Stateful
Inspection for GTPv2-C and/or GTPv1-C. These messages
generate logs to help you troubleshoot issues as needed. The
logging options for allowed GTP-U messages are:
|
G-PDU Packets Logged per New GTP-U Tunnel | Enable this option to verify that the firewall
is inspecting GTP-U PDUs. The firewall generates a log for the specified
number of G-PDU packets in each new GTP-U tunnel. Range is 1 to
10; default is 1. |
Packet Capture | Enable this log setting to capture a GTP packet that
is any of the following types of GTP event:
|
5G-C Allowed Messages | Select N11 to selectively enable
logging of allowed N11 messages. N11 messages help you with troubleshooting
and provide deeper visibility into the HTTP/2 messages exchanged
over an N11 interface for different procedures. This field is available
only if you enabled 5G-HTTP2 on the 5G-C tab
in the Mobile Network Protection profile. |
PFCP Allowed Messages | Allows you to selectively enable logging
of the allowed PFCP messages if you enabled stateful inspection for
PFCP. These messages generate logs to help you troubleshoot issues
as needed. The logging options for allowed PFCP messages are:
|