1. Home
    2. Service Providers
    3. Mobile Network Infrastructure Getting Started
    4. Secure GPRS Tunneling Protocol (GTP) in Mobile Networks
    5. Configure GTP Stateful Inspection
    End-of-Life (EoL)

    Configure GTP Stateful Inspection

    Mobile Network Operators use the GPRS Tunneling Protocol (GTP) on various interfaces in Roaming, Radio Access Network, and within the packet core in 3G and 4G networks to carry general packet radio service (GPRS). GTP allows mobile subscribers to use their phones (user equipment) to maintain a connection to a Packet Data Network (PDN) for internet access while on the move. The protocol uses tunnels to allow two GPRS support nodes (GSNs) to communicate over a GTP-based interface and separate traffic into different communication flows. GTP creates, modifies, and deletes tunnels for transporting IP payloads between the user equipment, the GPRS support nodes (GSNs) in the GPRS backbone network and the internet.
    GTP comprises of three types of traffic—control plane (GTP-C), user plane (GTP-U) and charging (GTP’ derived from GTP-C) traffic. Enabling GTP Security on the Palo Alto Networks firewall allows you to statefully inspect, validate, filter, and perform security checks on GTPv2-C, GTPv1-C and GTP-U protocol messages.
    Use the following workflow to enable stateful inspection and protocol validation for GTPv1-C, GTPv2-C, and GTP-U traffic. In addition, you can configure the firewall to inspect GTP-U content, filter GTP outer sessions based on APN, IMSI-Prefix and RAT, and enable overbilling protection for mobile subscribers.
    Firewalls securing GTP traffic can be deployed in an active/passive HA; active/active HA is not supported.
    1. Enable GTP Security.
      1. Log in to the firewall web interface.
      2. Select
        Device
        Setup
        Management
        General Settings
         and select
        GTP Security
        .
      3. Click
        OK
        .
      4. Commit
         the change.
      5. Select
        Device
        Setup
        Operations
         and
        Reboot Device
        .
        Enabling or disabling GTP Security requires a commit and a reboot; the best practice is to commit and reboot at this point. After you enable GTP Security, the options for configuring and monitoring GTP traffic become available on the firewall. If you disable GTP Security, you must also commit your change and reboot the firewall. After you disable GTP Security, the firewall does not perform GTP stateful inspection, but still checks GTP packets against Security policy rules and still applies App-ID.
    2. Create a GTP Protection profile to inspect GTP traffic.
      1. Select
        Objects
        Security Profiles
        GTP Protection
         and
        Add
         a new profile.
      2. Give the profile group a descriptive
        Name
        .
      3. If the firewall is in Multiple Virtual System Mode, enable the profile to be
        Shared
         by all virtual systems.
      4. Set up GTP Protection Profile for the GTP version(s) you want to inspect and configure the available options for filtering, overbilling protection, and the logging GTP messages for your compliance and troubleshooting needs.
    3. Allow GTP traffic on your network.
      1. Select
        Policies
        Security
         and click
        Add
        .
      2. Enter a descriptive
        Name
         for the rule in the
        General
         tab.
      3. In the
        Source
         tab,
        Add
         the
        Source Zone
        .
      4. In the
        Destination
         tab,
        Add
         the
        Destination Zone
        .
        As a best practice, restrict access to specific components in the EPC network; consider using address objects in the
        Destination Address
         field to enable access to specific IP addresses.
      5. In the
        Application
         tab,
        Add
         the applications that correspond to the network services you want to safely enable. For example, select
        gtp-v1
        ,
        gtp-v2
        , and
        gtp-u
        . Make sure to select the applications you enabled for inspection in the GTP Protection profile.
      6. In the
        Service/URL Category
         tab, change the
        Service
         from
        application-default
         to
        any
        .
      7. In the
        Actions
         tab, set the
        Action Setting
         to
        Allow
        .
      8. Attach the GTP Protection profile to the Security policy rule. Select
        Profiles
         as the
        Profile Type
         and select the
        GTP inspection
         profile you set up earlier.
      9. Verify that
        Log at Session End
         is enabled. GTP session start and GTP session end events are logged only when you enable log at session start and end in a Security policy rule. The session start and session end logs are available under
        Monitor
        GTP Logs
        . All other GTP events are logged based on the settings you enabled in the GTP Protection profile and are also available under
        Monitor
        GTP Logs
        .
        By default, the log storage quota for GTP is 2% of the total log storage capacity for the firewall model. Because GTP logs are high volume, increase the log quota or set up log forwarding to an external server.
      10. Click
        OK
        .
    4. (
      Optional
      ) Block GTPv0 traffic coming into your network. Add a Security policy rule to deny application
      gtp-v0
      . 3GPP recommends that a GTPv2 or GTPv1 entity that listens to the GTPv0 port should silently discard any GTPv0 messages it receives. The 3GPP Rel-8 GTPv1 specification removed support for GTPv1 to GTPv0 interworking; hence, a Palo Alto Networks firewall does not support stateful inspection of GTPv0 traffic.
    5. Commit
       your policies to the running configuration on the firewall.
    6. Monitor GTP Traffic to verify that you have set up GTP inspection effectively for your visibility and logging needs.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo