: Mobile Network Protection Profile
Focus
Focus

Mobile Network Protection Profile

Table of Contents

Mobile Network Protection Profile

Use these fields to create a Mobile Network Protection profile to define how the firewall inspects, validates, and filters GTP traffic.
The Mobile Network Protection profile (
Objects
Security Profiles
Mobile Network Protection
) enables the firewall to inspect Mobile Network traffic. Based on your deployment type, the options in the profile allow you to enable stateful inspection of GTPv1-C, GTPv2-C, PFCP, and 5G-C, as well as enable protocol validation for these protocols. You can also Configure Intelligent Security using PFCP for User Equipment to IP Address Correlation and enable GTP-U content inspection to scan user data within GTP-U tunnels.
The other options allow you to filter GTP sessions based on APN, IMSI-Prefix, and RAT, and prevent end-user IP address spoofing to protect the mobile subscribers from being overbilled.
You must attach the Mobile Network Protection profile to a Security policy rule for a zone.
Field
Description
GTP Inspection
GTP Inspection applies to the following deployment types:
  • GTP Stateful Inspection
    in 4G and 3G deployments
  • PFCP Stateful Inspection
    in 5G deployments
  • GTP-U
    Validity checks for
    Intelligent Security Correlation
GTP-C
  • Select
    Stateful Inspection
    to enable the firewall to inspect
    GTPv1-C
    or
    GTPv2-C
    or both. When you enable stateful inspection, the firewall uses the source IP address, source port, destination IP address, destination port, protocol, and the Tunnel Endpoint IDs (TEID) to keep track of a GTP session. It also checks and validates the order of the different types of GTP messages that establish a GTP tunnel. The TEID uniquely identifies the GSN tunnel endpoints. The tunnels for an uplink and a downlink are separate and use a different TEID.
  • Select the
    Action
    that the firewall takes upon a validity check failure:
    Alert
    allows the traffic but generates a log;
    Block
    denies the traffic and generates a log.
  • Specify the validity checks that the firewall performs on a GTP header and the Information Elements (IE) in a payload (and to which the firewall applies the specified
    Action
    ):
    • Reserved IE
      —Checks for the GTPv1-C or GTPv2-C messages that use reserved IE values.
    • Order of IE
      (
      GTPv1-C only
      )—Checks that the order of IEs in GTPv1-C messages is accurate.
    • Length of IE
      —Checks for the GTPv1-C or GTPv2-C messages with invalid IE length.
    • Reserved field in header
      —Checks for malformed packets that use invalid values or reserved values in a header.
    • Unsupported message type
      —Checks for unknown or incorrect message types.
NAT for outer GTP sessions is not supported with GTP stateful inspection.
GTP-U
Enabling
Stateful Inspection
for
GTPv1-C
and/or
GTPv2-C
automatically enables
GTP-U
stateful inspection. Enabling
PFCP Stateful Inspection
or
Intelligent Security Correlation
also enables GTP-U stateful inspection.
You can specify the following validity checks for GTP-U payloads and
Block
or
Alert
upon a validity check failure:
  • Reserved IE
    —Checks for the GTP-U messages that use reserved IE values in the payload.
  • Order of IE
    —Checks that the order of the IEs in GTP-U messages is correct.
  • Length of IE
    —Checks for messages with invalid IE length.
  • Reserved field in header
    —Checks for malformed packets that use invalid values or reserved values in a header.
  • Unsupported message type
    —Checks for unknown or incorrect message types.
You can also
allow
,
block
or
alert
on:
  • End User IP Address Spoofing
    —When the source IP address in a GTP-U packet from the subscriber user equipment is not the same as the IP address in the corresponding GTP-C message exchanged during tunnel set up.
    This option is not supported for PFCP Stateful Inspection or Intelligent Security with Correlation.
  • GTP-in-GTP
    —A GTP message inside another GTP message. Upon detection, the firewall generates a GTP log with critical severity.
  • Log at GTP-U session start
    —Log the associated IP address and tunnel endpoint ID in the GTP logs at the beginning of a GTP-U session.
  • Log at GTP-U session end
    —Log the associated IP address and tunnel endpoint ID in the GTP logs at the conclusion of a GTP-U session.
GTP-U (cont)
Enable
GTP-U Content Inspection
if you want to inspect and apply policy to the user data payload within a GTP-U packet. Inspecting GTP-U content allows you to correlate IMSI and IMEI information learned from GTP-C messages with the IP traffic encapsulated in GTP-U packets.
You don’t need a Tunnel Content Inspection policy to perform content inspection inside GTP-U tunnels if you use a GTP Protection profile and enable
GTP-U Content Inspection
.
GTP-U inner sessions do not support decryption, NAT, or policy-based forwarding (PBF).
5G-C
For 5G, enable
5G-HTTP2
to enable inspection of 5G HTTP/2 control packets, which can contain subscriber IDs, equipment IDs, and network slice information. This allows you to correlate subscriber ID (IMSI), equipment ID (IMEI), and network slice ID information learned from HTTP/2 messages with the IP traffic encapsulated in GTP-U packets.
Enabling
5G-HTTP2
disables GTP-C for the profile and enables GTP-U.
PFCP
For Packet Forwarding Control Protocol (PFCP), enable
Stateful Inspection
to inspect PFCP traffic. When you enable stateful inspection for PFCP traffic, the firewall inspects the traffic between the 5G core and the UPF to help prevent attacks such as Denial of Service (DOS) or spoofing. The UPF can be on the MEC site and the 5G Core can be in a central core site or the public cloud.
If you enable this option, Actions for GTP-U End User IP Address Spoofing are not available.
You can specify the following state checks:
  • Check Association Messages
    —Checks for any PFCP association messages that are out of order or that have been rejected.
  • Check Session Messages
    —Checks for any PFCP session messages that are out of order or that have been rejected.
  • Check Sequence Number
    —Confirms that the sequence number in the PFCP matches the sequence number in the PFCP request message.
You can then specify the
Action
(
Allow
,
Alert
, or
Block
) you want the firewall to take when the check is unsuccessful.
You can also select if you want the firewall to create a log at the beginning or ending of the PFCP associations or sessions.
Correlation
Correlation options apply for deployments using Intelligent Security Correlation with PFCP or RADIUS.
UEIP Correlation
Enables correlation between the subscriber ID and equipment ID to user equipment (UE) IP-based traffic for GTP-U content inspection.
Mode
  • Loose
    —(Default) When the firewall detects GTP-U inner traffic, it queries the source or destination address to find the correlated IMEI or IMSI information. If there are no results, the firewall forwards the traffic.
  • Strict
    —Drops the traffic if the GTP-U query returns no results.
User Plane with GTP-U encapsulation
Select the
User Plane with GTP-U encapsulation option
to enable UEIP Correlation for a 5G interface if the firewall is located on the N6/SGi interface.
Source
Select the source you want to use to correlate the information.
For deployments using CUPS, select PFCP.
Log at UEIP Start
Log UEIP correlation events when the firewall allocates an IP address to the UE.
Log at UEIP End
Log UEIP correlation events when the firewall releases the allocated IP address.
Filtering Options
Filtering options apply to 4G and 3G deployments with GTP Stateful Inspection.
RAT Filtering
By default all Radio Access Technologies (RAT) are allowed. GTP-C Create-PDP-Request and Create-Session-Request messages are filtered or allowed based on the RAT filter. You can specify whether to
allow
,
block
or
alert
on the following Remote Access Technologies (RAT) that the user equipment uses to access the mobile core network:
  • UTRAN
  • GERAN
  • WLAN
  • GAN
  • HSPA Evolution
  • EUTRAN
  • Virtual
  • EUTRAN-NB-IoT
  • LTE-M
  • NR
IMSI Filtering
IMSI (International Mobile Subscriber Identity) is a unique identification associated with a subscriber in GSM, UMTS and LTE networks that is provisioned in the Subscriber Identity Module (SIM) card.
An IMSI is usually presented as a 15-digit number (8 bytes), but can be shorter. IMSI has three parts:
  • Mobile Country Code (MCC) consisting of three digits. The MCC uniquely identifies the country of domicile of the mobile subscriber.
  • Mobile Network Code (MNC) consisting of two or three digits; 2 digits European standard or 3 digits North America standard. The MNC identifies the home PLMN of the mobile subscriber.
  • Mobile Subscriber Identification Number (MSIN) identifying the mobile subscriber within a PLMN.
The
IMSI Prefix
combines the MCC and MNC and allows you to
allow
,
block
, or
alert
on GTP traffic from a specific PLMN. By default all IMSI are allowed.
You can either manually enter or import a csv file with IMSI or IMSI prefixes into the firewall. The IMSI can include a wildcard, for example, 310* or 240011*. The firewall supports a maximum of 5,000 IMSI or IMSI prefixes.
APN Filtering
The Access Point Name (APN) is a reference to a GGSN/ PGW that a user equipment requires to connect to the internet. The APN is composed of two parts:
  • APN Network Identifier that defines the external network to which the GGSN/PGW is connected and optionally a requested service by the mobile station. This part of the APN is mandatory.
  • APN Operator Identifier that defines in which PLMN GPRS/EPS backbone the GGSN/PGW is located. This part of the APN is optional.
By default all APNs are allowed. The APN filter allows you to
allow
,
block
, or
alert
on GTP traffic based on the APN value. GTP-C Create-PDP-Request and Create-Session-Request messages are filtered or allowed based on the rules defined for APN filtering.
You can manually add or import an APN filtering list into the firewall. The value for the APN must include the network ID or the domain name of the network (for example, example.com) and, optionally, the operator ID.
For APN filtering, the wildcard (*) allows you to match for all APN. A combination of * and other characters is not supported for wildcards. For example, internet.mnc* will be treated as regular APN and will not filter all entries that start with internet.mnc.
The firewall supports a maximum of 1,000 APN filters.
GTP Tunnel Limit
GTP Tunnel Limit settings apply to 4G and 3G deployments with GTP Stateful Inspection.
Max Concurrent Tunnels Allowed per Destination
Allows you to limit the maximum number of GTP-U tunnels to a destination IP address, for example, to the GGSN. Range: 0 to 100,000,000 tunnels.
Alert at Max Concurrent Tunnels per Destination
Specify the threshold at which the firewall triggers an alert when the maximum number of GTP-U tunnels to a destination has been established. A GTP log message of high severity is generated when the configured tunnel limit is reached.
Logging Frequency
The number of events that the firewall counts before it generates a log when the configured GTP tunnel limits are exceeded. This setting allows you to reduce the volume of messages logged. Default: 100; range: 1 to 100,000,000
Overbilling Protection
Select the virtual system that serves as the Gi/ SGi firewall on your firewall. The Gi/ SGi firewall inspects the mobile subscriber IP traffic traversing the Gi/ SGi interface from the PGW/ GGSN to the external PDN (packet data network) such as the internet and secures internet access for mobile subscribers.
Overbilling can occur when a GGSN assigns a previously used IP address from the End User IP address pool to a mobile subscriber. When a malicious server on the internet continues to send packets to this IP address as it did not close the session initiated for the previous subscriber and the session is still open on the Gi Firewall. To disallow data from being delivered, whenever a GTP tunnel is deleted (detected by delete-PDP or delete-session message) or timed-out, the firewall enabled for overbilling protection notifies the Gi/ SGi firewall to delete all the sessions that belong to the subscriber from the session table. GTP Security and SGi/ Gi firewall should be configured on the same physical firewall, but can be in different virtual systems.
In order to delete sessions based on GTP-C events, the firewall needs to have all the relevant session information and this is possible only when you manage traffic from the SGi + S11 or S5 interfaces for GTPv2 and Gi + Gn interfaces for GTPv1 in the mobile core network.
Other Log Settings
By default the firewall does not log allowed messages for mobile network events. You should be selective if you enable logging of
Allowed Messages
for troubleshooting when needed, because such logging will generate a high volume of logs. In addition to logging
Allowed Messages
, this tab also allows you to selectively enable logging of user location information.
GTPv1-C Allowed Messages
Allows you to selectively enable logging of allowed GTPv1-C messages, if you have enabled
Stateful Inspection
for GTPv1-C. These messages generate logs to help you troubleshoot issues as needed. By default, the firewall does not log allowed messages. The logging options for allowed GTPv1-C messages are:
  • Tunnel Management
    —These GTPv1-C messages are used to manage the GTP-U tunnels, which carry encapsulated IP packets and signaling messages between a given pair of network nodes such as SGSN and GGSN. Messages logged under this option are: Create PDP Context Request, Create PDP Context Response, Update PDP Context Request, Update PDP Context Response, Delete PDP Context Request, Delete PDP Context Response, Forward Relocation Request, Forward Relocation Response, Forward Relocation Complete, Forward Relocation Complete Acknowledge, SGSN Context Request, SGSN Context Response, and SGSN Context Acknowledge. The rest of the tunnel management messages are logged as
    Others
    (explained below).
  • Path Management
    —These GTPv1-C messages are typically sent by the GSN or Radio Network Controller (RNC) to the other GSN or RNC to find out if the peer is alive. They include messages such as Echo Request/ Response.
  • Others
    —These messages include location management, mobility management, RAN information management and Multimedia Broadcast Multicast Service (MBMS) messages.
Log User Location
Allows you to include the user location information (as area code and Cell ID) in GTP logs.
Packet Capture
Enables you to capture events.
GTPv2-C Allowed Messages
Allows you to selectively enable logging of the allowed GTPv2-C messages, if you have enabled
Stateful Inspection
for GTPv2-C. These messages generate logs to help you troubleshoot issues as needed. By default, the firewall does not log allowed messages. The logging options for allowed GTPv2-C messages are:
  • Tunnel Management
    —These GTPv2-C messages are used to manage the GTP-U tunnels, which carry encapsulated IP packets and signaling messages between a given pair of network nodes such as the SGW and PGW. Messages logged under this option are: Create Session Request, Create Session Response, Modify Bearer Request, Modify Bearer Response, Delete Session Request, Delete Session Context Response. The rest of the tunnel management messages are logged under the option
    Others
    .
  • Path Management
    —These GTPv2-C messages are typically sent by a network node such as the SGW or PGW to the other PGW or SGW to find out if the peer is alive. They include messages such as Echo Request/ Response.
  • Others
    —These messages include mobility management and Non-3GPP access related messages.
GTP-U Allowed Messages
Allows you to selectively enable logging of the allowed GTP-U messages, if you have enabled
Stateful Inspection
for GTPv2-C and/or GTPv1-C. These messages generate logs to help you troubleshoot issues as needed.
The logging options for allowed GTP-U messages are:
  • Tunnel Management
    —These are GTP-U signaling messages such as Error Indication.
  • Path Management
    —These GTP-U messages are sent by a network node (such as eNodeB) to another network node (such as SGW) to find out if the peer is alive. It includes messages such as Echo Request/ Response.
  • G-PDU
    —G-PDU (GTP-U PDU) is used for carrying user data packets within the network nodes in the mobile core network; it consists of a GTP header plus a T-PDU.
G-PDU Packets Logged per New GTP-U Tunnel
Enable this option to verify that the firewall is inspecting GTP-U PDUs. The firewall generates a log for the specified number of G-PDU packets in each new GTP-U tunnel. Range is 1 to 10; default is 1.
Packet Capture
Enable this log setting to capture a GTP packet that is any of the following types of GTP event:
  • GTP-in-GTP
  • End user IP address spoofing
  • Abnormal GTPv1-C, GTPv2-C, and GTP-U messages that have a missing mandatory Information Element (IE), invalid IE, out-of-order IE, invalid header, or unsupported message type
  • Other abnormal GTPv1-C, GTPv2-C, and GTP-U messages
5G-C Allowed Messages
Select
N11
to selectively enable logging of allowed N11 messages. N11 messages help you with troubleshooting and provide deeper visibility into the HTTP/2 messages exchanged over an N11 interface for different procedures. This field is available only if you enabled
5G-HTTP2
on the
5G-C
tab in the Mobile Network Protection profile.
PFCP Allowed Messages
Allows you to selectively enable logging of the allowed PFCP messages if you enabled stateful inspection for PFCP. These messages generate logs to help you troubleshoot issues as needed.
The logging options for allowed PFCP messages are:
  • Session Establishment
    —These PFCP messages set up the session, including establishing the GTP-U tunnel.
  • Session Modification
    —These PFCP messages are sent if the session ID or PDR ID changes (for example, as a result of moving from a 4G to a 5G network. It includes messages such as PFCP Session Modification Request and PFCP Session Modification Response.
  • Session Deletion
    —These PFCP messages terminate the PFCP session, including releasing associated resources.

Recommended For You