: Configure Intelligent Security using PFCP for User Equipment to IP Address Correlation
Focus
Focus

Configure Intelligent Security using PFCP for User Equipment to IP Address Correlation

Table of Contents

Configure Intelligent Security using PFCP for User Equipment to IP Address Correlation

If you use control plane and user plane separation (CUPS) architecture for migration from 4G to 5G, correlate user equipment (UE) to IP addresses using Intelligent Security.
The firewall monitors traffic for PFCP control messages on the N4 and Sxb interfaces and extracts the User Equipment IP address (UE_IP) and Mobile User Identification (User_ID), which it uses to map the UE_IP to the IMEI, the IMSI, or both. It adds the mapping to a database and uses the mapping to perform GTP-U content inspection. You can query the database for the UE_IP to view the correlated Mobile User information for the UE Internet Protocol traffic inside the GTP-U tunnels that comprise the CUPS architecture.
If you enable UEIP Correlation, the following options are not available in the same Mobile Network Protection Profile:
  • GTP-C
  • 5G-C
  • Packet Forwarding Control Protocol (PFCP)
To support correlation, the PFCP control message must contain the UE_IP and related User ID IE (Information Element).
  1. Enable GTP Security.
    1. Log in to the firewall web interface.
    2. Select
      Device
      Setup
      Management
      General Settings
      then select
      GTP Security
      .
    3. Click
      OK
      .
    4. Commit
      the change.
    5. Select
      Device
      Setup
      Operations
      and
      Reboot Device
      .
  2. Create a Mobile Network Protection Profile.
    1. Select
      Objects
      Security Profiles
      Mobile Network Protection
      and
      Add
      a new profile.
    2. Give the profile a unique
      Name
      .
    3. Select
      Correlation
      and enable
      UEIP Correlation
      .
    4. Select the
      Mode
      you want to use.
      • Loose
        —(Default) When the firewall detects traffic, it queries the source or destination address to find the correlated IMEI or IMSI information. If there are no results, the firewall forwards the traffic.
      • Strict
        —Drops the traffic if the GTP-U query does not return any results.
    5. Based on your deployment, select whether you want to enable the
      User Plane with GTP-U encapsulation
      option.
      • Enable
        the option if the firewall is deployed on the
        N3/S1U interface
        .
      • Disable
        the option if the firewall is deployed on the
        SGi/N6 interface
        .
    6. Select
      PFCP
      as the
      Source
      .
      Select the
      Source
      that you want the firewall to use to correlate the management plane and user plane information for subscriber-level and equipment-level Security policy enforcement. The firewall inspects traffic for the source type you select to process and extract 5G/4G identity information, such as subscriber ID (SUPI and IMSI), equipment ID (PEI and IMEI), and the IP address of the user equipment (UE), to correlate with 5G/4G subscriber Internet Protocol traffic.
    7. (Optional) Select whether you want to log UEIP correlation events when the firewall allocates an IP address to the UE (
      Log At Ueip Start
      ), when the firewall releases the allocated IP address (
      Log At Ueip End
      ), or both.
      The firewall logs the following GTP events during correlation that you can view by going to
      Monitor
      Logs
      GTP
      :
      • UEIP mapping start
      • UEIP mapping end
      The logs contain the following user information:
      • Subscriber Identity (including IMSI and SUPI)
      • Equipment Identity (including IMEI and PEI)
      • End User IP address allocated to UE
      • Access Point Name (APN)
      • Radio Access Technology (RAT)
      • MSISDN
  3. Click
    OK
    to save your changes.
  4. Create a Security policy to identify and allow PFCP Traffic between SMF and UPF or PGW-C and PGW-U.
    There are two methods to define this policy based on deployment mode and the necessary level of security. Select the appropriate method based on your security needs.
    • (
      Recommended for N6 or SGi deployments
      ) Create a Security Policy to identify and allow PFCP application traffic. This policy allows all traffic between SMF and UPF Zone (or PGW-C and PGW-U), as well as UPF (or PGW-U) and Data Network Zones.
      1. Select
        Policies
        Security
        and
        Add
        a unique
        Name
        for the rule in the
        General
        tab.
      2. In the
        Source
        tab,
        Add
        the
        Source Zone
        as
        Any
        (or all zones for N4, N6, Sxb and SGi) and the
        Source Address
        as
        Any
        .
      3. In the
        Destination
        tab,
        Add
        the
        Destination Zone
        as
        Any
        (or all zones for N4, N6, Sxb and SGi) and the
        Destination Address
        as
        Any
        .
      4. In the
        Application
        tab,
        Add
        PFCP
        as the
        Application
        you want to allow.
      5. In the
        Service/URL Category
        tab, select the
        Service
        as
        Any
        .
      6. In the
        Actions
        tab, select the
        Action
        as
        Allow
        .
      7. Attach the
        Mobile Network Protection profile
        to the Security policy rule by selecting
        Profiles
        and selecting the profile as the
        Profile Type
        .
      8. Select
        Log at Session End
        if it is not already selected.
    • (
      Recommended for N3 or S1-U deployments; optional for N6 or SGi deployments
      ) Create a specific Security Policy to match and allow PFCP Application Traffic between SMF and UPF (or PGW-C and PGW-U).
      1. Select
        Policies
        Security
        and
        Add
        a unique
        Name
        for the rule in the
        General
        tab.
      2. In the
        Source
        tab,
        Add
        the
        Source Zone
        and
        Source Address
        of the interface that the SMF uses to communicate with the UPF (or PGW-C’s address to the PGW-U).
      3. In the
        Destination
        tab,
        Add
        the
        Destination Zone
        and
        Destination Address
        of the IP address for the UPF (or the PGW-U’s address for PGW-C).
      4. In the
        Application
        tab,
        Add
        PFCP
        as the
        Application
        you want to allow.
      5. In the
        Service/URL Category
        tab, select the
        Service
        as
        Any
        .
      6. In the
        Actions
        tab, select the
        Action
        as
        Allow
        .
      7. Attach the
        Mobile Network Protection profile
        to the Security policy rule by selecting
        Profiles
        and selecting the profile as the
        Profile Type
        .
      8. Select
        Log at Session End
        if it is not already selected.
  5. (
    Required for N6 or SGi deployments if you allow PFCP Application Traffic only between the SMF and UPF or the PGW-C and PGW-U
    ) Create a custom application and a Security policy that uses the custom application.
    Because the firewall applies this policy rule first, it processes the first packet of all user traffic and enables UEIP database querying, move this policy rule above any other policy rules in your Security policy for user traffic on the N6 interface. Any application-specific or IMSI/IMEI-based policy rules must occur after this policy rule.
    1. Select
      Objects
      Applications
      and
      Add
      a unique
      Name
      for the application (for example,
      pfcp-ueip
      ).
    2. Select
      Policies
      Security
      and
      Add
      a unique
      Name
      for the policy rule.
    3. In the
      Source
      tab,
      Add
      the zone that contains traffic to the UPF as the
      Source Zone
      and select
      Any
      as the
      Source Address
      . If you use an IP pool for the UE IP address, add the IP pool as the
      Source Address
      .
      Don't select anything in the
      Source Subscriber
      or
      Source Equipment
      tabs.
    4. In the
      Destination
      tab,
      Add
      the zone that contains traffic to the Packet Data Network as the
      Destination Zone
      and select
      Any
      as the
      Destination Address
      .
    5. In the
      Application
      tab,
      Add
      the
      Application
      you created in step 5.a.
    6. In the
      Service/URL Category
      tab, select
      Any
      as the
      Service
      .
    7. In the
      Actions
      tab, select
      Allow
      as the
      Action
      .
    8. Attach the
      Mobile Network Protection profile
      to the Security policy rule by selecting
      Profiles
      and selecting the profile you created in step 4 as the
      Profile Type
      .
    9. Select
      Log at Session End
      if it is not already selected.
  6. (
    Recommended for N3 or S1-U deployments
    ) Create Bi-directional Security Policies to match and allow GTP-U application on N3 interface.
    1. Select
      Policies
      Security
      and
      Add
      a unique
      Name
      for the rule in the
      General
      tab.
    2. In the
      Source
      tab,
      Add
      the
      Source Zone
      and the
      Source Address
      of the base station and the UPF or SGW-U.
    3. In the
      Destination
      tab,
      Add
      the
      Destination Zone
      and the
      Destination Address
      of the base station and the UPF or SGW-U.
    4. In the
      Application
      tab,
      Add
      gtp-u
      as the
      Application
      you want to allow.
    5. In the
      Service/URL Category
      tab, select the
      Service
      as
      Any
      .
    6. In the
      Actions
      tab, select the
      Action
      as
      Allow
      .
    7. Attach the
      Mobile Network Protection profile
      to the Security policy rule by selecting
      Profiles
      and selecting the profile as the
      Profile Type
      .
      When the firewall identifies GTP-U traffic between the base station and the UPF or SGW-U, the firewall decapsulates the inner traffic from the UE and searches for the UEIP mapping in the correlation database.
    8. Select
      Log at Session End
      if it is not already selected.
  7. (
    Recommended for N6 or N3 deployments
    ) Create other Security Policies based on data (such as IP address, application, URL category, or IMSI/IMEI) to identify and allow UE traffic.
    If your deployment requires IP Bases Deny Rules for UE traffic in N6 deployment mode, then move the deny rule above the rule created in step 4 to ensure the traffic logs contain the IMSI/IMEI correlation information.
    1. Select
      Policies
      Security
      and
      Add
      a unique
      Name
      for the rule in the
      General
      tab.
    2. In the
      Source
      tab,
      Add
      the
      Source Zone
      and the
      Source Address
      you want to allow. If you use an IP pool for the UE IP address, add the IP pool as the
      Source Address
      .
    3. Add
      the
      Source Subscriber
      and the
      Source Equipment
      you want to allow.
    4. In the
      Destination
      tab,
      Add
      the
      Destination Zone
      and the
      Destination Address
      . Select
      Any
      to allow internet access or specify the address of the servers in the corporate network or MEC site.
    5. In the
      Application
      tab,
      Add
      as the
      Application
      types you want to allow ( for example
      dns
      ,
      web-browsing
      , or
      SSL
      ).
    6. In the
      Service/URL Category
      tab, select the
      Service
      types you want to allow.
    7. In the
      Actions
      tab, select the
      Action
      you want the firewall to take (
      Allow
      or
      Deny
      the traffic).
    8. Select
      Log at Session End
      if it is not already selected.
  8. (
    Recommended for N6 or SGi deployments if your policy allows all traffic between the SMF and UPF or PGW-C and PGW-U
    ) Create a policy rule as the last rule in your policy to allow all traffic that did not match any other policy rule.
    This is strongly recommended for at least the initial stages of deployment.
    1. Select
      Policies
      Security
      and
      Add
      a unique
      Name
      for the rule in the
      General
      tab.
    2. In the
      Source
      tab,
      Add
      the
      Source Zone
      for communication between the UPF and N6 or the PGW-U and SGi. If you use an IP pool for the UE IP address, add the IP pool as the
      Source Address
      .
    3. Add
      the
      Source Subscriber
      and the
      Source Equipment
      you want to allow.
    4. In the
      Destination
      tab,
      Add
      the
      Destination Zone
      of the data network and the
      Destination Address
      as
      Any
      .
    5. In the
      Application
      tab,
      Add
      as the
      Application
      types as
      Any
      .
    6. In the
      Service/URL Category
      tab, select the
      Service
      type as
      Any
      .
    7. In the
      Actions
      tab, select
      Allow
      as the
      Action
      .
    8. Attach the
      Mobile Network Protection profile
      to the Security policy rule by selecting
      Profiles
      and selecting the profile as the
      Profile Type
      .
    9. Select
      Log at Session End
      if it is not already selected.
  9. Confirm that the profile is
    Enabled
    (
    Policies
    Security
    Security Policy Rule
    Actions
    Profile Setting
    Mobile Network Protection
    ) and
    Commit
    the changes.
  10. Verify your configuration.
    1. Verify the session traffic on the firewall logs using the following CLI commands.
      • show session all filter application pfcp
      • show session all filter application gtp-u
      • show session all filter source
        <IP address of UE>
    2. Verify the mappings on the firewall display
      radius
      as the source (
      src
      ) using the
      show ueip all
      CLI command.
    3. View the GTP logs (
      Monitor
      Logs
      GTP
      ) and verify that the
      GTP Event Type
      displays
      UEIP mapping start
      and
      UEIP mapping end
      .
    4. Verify the UE traffic logs (
      Monitor
      Logs
      Traffic
      ) display the IMSI or IMEI in the
      Subscriber Identity
      column.

Recommended For You