Configure 5G Network Slice Security

1. Enable GTP security.
   1. Select DeviceSetupManagementGeneral Settings. Select GTP Security.
   2. Click OK.
   3. Commit the change.
   4. Select DeviceSetupOperations and Reboot Device.
2. Configure stateful inspection with 5G-C for the N11 interface.
   1. Select ObjectsSecurity ProfilesMobile Network Protection.
   2. Add a profile by Name, for example, 5G-C Mobile security.
3. Enable inspection of 5G HTTP/2 control packets; create a Mobile Network Protection profile.
   1. Select ObjectsSecurity ProfilesMobile Network Protection.
   2. Add a profile by Name, for example, 5G Mobile security.
   3. Enter a Description.
   4. On the GTP Inspection tab, select 5G-C.
   5. Enable 5G-HTTP2 to enable inspection of 5G HTTP/2 control packets.

   6. Select GTP-U and enable GTP-U Content Inspection to correlate context from 5G HTTP/2 control packets (Subscriber IDs and Equipment IDs) to IP user traffic inside a GTP-U tunnel.
   7. Select Filtering Options and RAT Filtering; for example, you can allow NR (New Radio) and block other RATs.

   8. Select IMSI Filtering and Add one or more IMSI Prefix(es) with the desired action.
   9. Select APN Filtering and Add one or more APNs with the desired action.
   10. (Optional) To troubleshoot, select Other Log Settings and select 5G Allowed Messages N11 (the HTTP/2 control messages). You can also enable GTP-U Allowed Messages for Tunnel Management, Path Management, and G-PDU. You can Log User Location.
   11. Click OK.
4. Create address objects for the IP addresses assigned to the network elements in your topology, such as the AMF on the N11 interface, the gNB on the N3 interface, the SMF on the N11 interface, and the UPF on the N3 interface.
5. Create a Security policy rule that applies your Mobile Network Protection profile to application traffic.
   1. Select PoliciesSecurity and Add a Security policy rule by Name.
   2. Select Source tab and Add a Source Zone or select Any.
   3. For Source Address, Add the address objects for the 5G element endpoints on the N3 and N11 interfaces that you want to allow.

   4. For Destination, Add the Destination Address address objects for the 5G element endpoints on the N3 and N11 interfaces that you want to allow (the same ones you allowed for Source Address).
   5. Add the Applications to allow, such as the user plane, which is gtp-u and web-browsing, which has HTTP/2.
   6. On the Actions tab, select the Action, such as Allow.
   7. Select the Mobile Network Protection profile you created.
   8. Select other profiles you want to apply, such as Vulnerability Protection.
   9. Select Log Settings, such as Log at Session Start and Log at Session End.
   10. Click OK.
6. Create another Security policy rule based on Network Slices, for example, to allow applications for a standardized or operator-specific SST.
   1. Select PoliciesSecurity and Add a Security policy rule by Name.
   2. Select Source and Add one or more Network Slices in either of the following formats:
      • Standardized SST (select eMBB, MIoT, or URLLC).
      • Operator-specific SSTs in the format of text,number (number range is 128 to 255, in decimal). (The number appears in hexadecimal in logs.)

   3. (Optional) You can add Source Subscriber and Source Equipment names to this Security policy rule to make the rule more restrictive.
   4. Specify Source Zone, Source Address, Source User, and Source Device, or use the default Any setting for each.
   5. Specify Destination Zone, Destination Address, and Destination Device, or use the default Any setting for each.
   6. For Applications, select, for example, modbus and web-browsing.
   7. On the Actions tab, select the Action, such as Allow.
   8. Select profiles you want to apply, such as Antivirus, Vulnerability Protection, Anti-Spyware, URL Filtering, File Blocking, and WildFire Analysis.
   9. Select Log Settings, such as Log at Session Start and Log at Session End.
   10. Click OK.
7. Commit.