Configure GTP Stateful Inspection
Mobile Network Operators use the GPRS Tunneling Protocol (GTP) on various interfaces in Roaming, Radio Access Network, and within the packet core in 3G and 4G networks to carry general packet radio service (GPRS). GTP allows mobile subscribers to use their phones (user equipment) to maintain a connection to a Packet Data Network (PDN) for internet access while on the move. The protocol uses tunnels to allow two GPRS support nodes (GSNs) to communicate over a GTP-based interface and separate traffic into different communication flows. GTP creates, modifies, and deletes tunnels for transporting IP payloads between the user equipment, the GPRS support nodes (GSNs) in the GPRS backbone network and the internet.
GTP comprises of three types of traffic—control plane (GTP-C), user plane (GTP-U) and charging (GTP’ derived from GTP-C) traffic. Enabling GTP Security on the Palo Alto Networks firewall allows you to statefully inspect, validate, filter, and perform security checks on GTPv2-C, GTPv1-C and GTP-U protocol messages.
GTP Security is supported on all VM-Series firewalls and on the PA-5200 Series firewalls. Use the following workflow to enable stateful inspection and protocol validation for GTPv1-C, GTPv2-C, and GTP-U traffic. In addition, you can configure the firewall to inspect GTP-U content, filter GTP outer sessions based on APN, IMSI-Prefix and RAT, and enable overbilling protection for mobile subscribers.
Firewalls securing GTP traffic can be deployed in an active/passive HA; active/active HA is not supported.
- Enable GTP Security.
- Log in to the firewall web interface.
- Select DeviceSetupManagementGeneral Settings. Select GTP
Security.If you disable GTP Security, the options for configuring and monitoring GTP traffic become available on the firewall.
- Create a GTP Protection profile to inspect GTP traffic.
- Select ObjectsSecurity ProfilesGTP Protection and Add a new profile.
- Give the profile group a descriptive Name.
- If the firewall is in Multiple Virtual System Mode, enable the profile to be Shared by all virtual systems.
- Set up GTP Protection Profile for the GTP version(s) you want to inspect and configure the available options for filtering, overbilling protection, and the logging GTP messages for your compliance and troubleshooting needs.
- Allow GTP traffic on your network.
- Select PoliciesSecurity and click Add.
- Enter a descriptive Name for the rule in the General tab.
- In the Source tab, Add the Source Zone.
- In the Destination tab, Add the Destination
Zone.As a best practice, restrict access to specific components in the EPC network; consider using address objects in the Destination Address field to enable access to specific IP addresses.
- In the Application tab, Add the applications that correspond to the network services you want to safely enable. For example, select gtp-v1, gtp-v2, and gtp-u. Make sure to select the applications you enabled for inspection in the GTP Protection profile.
- In the Service/URL Category tab, keep the Service set to any.
- In the Actions tab, set the Action Setting to Allow.
- Attach the GTP Protection profile to the Security policy rule. Select Profiles as the Profile Type and select the GTP inspection profile you set up earlier.
- Verify that Log at Session End is enabled. GTP session start and GTP session end events are logged only when you enable log at session start and end in a Security policy rule. The session start and session end logs are available under MonitorGTP Logs. All other GTP events are logged based on the settings you enabled in the GTP Protection profile and are also available under MonitorGTP Logs.
- Click OK.
- Commit your policies to the running configuration on the firewall.
- (Optional) Block GTPv0 traffic coming into your network.
Add a Security policy rule to deny application gtp-v0.
3GPP recommends that a GTPv2 or GTPv1 entity that listens to the
GTPv0 port should silently discard any GTPv0 messages it receives.
The 3GPP Rel-8 GTPv1 specification removed support for GTPv1 to GTPv0
interworking; hence, a Palo Alto Networks firewall does not support stateful
inspection of GTPv0 traffic.
- Monitor GTP Traffic to verify that you have set up GTP inspection effectively for your visibility and logging needs
GPRS Tunneling Protocol (GTP) Security
GPRS Tunneling Protocol (GTP) Security Mobile Network Operators use the GPRS Tunneling Protocol (GTP) on various interfaces in Roaming, Radio Access Network, and within the ...
Secure GPRS Tunneling Protocol (GTP) in Mobile Networks
Secure GPRS Tunneling Protocol (GTP) in Mobile Networks Mobile Network Operators use the GPRS Tunneling Protocol (GTP) on various interfaces in roaming and Radio Access ...
GTP Protection Profile
GTP Protection Profile The GTP Protection profile ( Objects Security Profiles GTP Protection ) enables the firewall to inspect GTP traffic. The options in the ...
GTP Event Types and Severity
GTP Event Types and Severity The firewall generates GTP logs when the following events occur, and these events are displayed both in the logs and ...
Objects > Security Profiles > GTP Protection
Objects > Security Profiles > GTP Protection The GTP Protection profile enables the firewall to inspect GTP traffic. To view this profile, you must enable ...
Monitor GTP Traffic
Monitor GTP Traffic When you enable logging in a security policy rule, the firewall generates a traffic log for when traffic matches the criteria defined ...
Content Inspection Features
Content Inspection Features New Content Inspection Features Description Credential Phishing Prevention Phishing sites are sites that attackers disguise as legitimate websites with the aim to ...
GTP Basics GTP comprises control plane (GTP-C), user plane (GTP-U) and charging (GTP' derived from GTP-C) traffic transferred on UDP/IP. GTP Security on the Palo ...
View GTP Logs
View GTP Logs GTP logs are event-based logs that include information on the a wide range of GTP attributes including GTP event type, GTP message ...