GTP comprises control plane (GTP-C),
user plane (GTP-U) and charging (GTP' derived from GTP-C) traffic
transferred on UDP/IP. GTP Security on supported Palo Alto Networks
firewalls supports 3GPP Technical Standards for
GTPv1-C, GTPv2-C and GTP-U.
View the PAN-OS releases by firewall model
that support GTP Security. Enabling GTP Security on Palo
Alto Networks firewalls allows you to protect the mobile core network
infrastructure from malformed GTP packets, denial of service attacks,
out of state GTP messages, and also protect mobile subscribers from spoofed
IP packets and overbilling attacks.
GTPv1-C is defined in 3GPP TS 29.060. It is used
on Gn interface, i.e. the interface between GPRS support nodes (GSNs)
within a public land mobile network (PLMN), and also across Gp interface
between GSNs in different PLMNs. It is also used for roaming and
inter access mobility between Gn/Gp SGSNs and mobility management
entity (MMEs). GTPv1-C carries various type of control plane signaling
messages. The registered port number for GTPv1-C is 2123.
GTPv2-C is defined in 3GPP TS 29.274. It is used
on various EPC (Evolved Packet Core) signaling interfaces like S5,
S8, S11, S3 etc. GTPv2-C carries various type of control plane signaling
messages. The registered port number for GTPv2-C is 2123.
GTP-U is defined in 3GPP TS 29.281. It encapsulates
and route user plane traffic across multiple signaling interfaces
like S1, S5, S8, S3 etc. GTP-U messages are either user plane or
signaling messages. The registered port number for GTP-U is 2152.
NAT is not supported for GTP tunnel IP addresses with GTP stateful