GTP Deployments

All VM-Series firewall models and the PA-5200 Series firewalls support GTP Security. When deploying the Palo Alto Networks firewall to inspect GTP traffic you must determine the connection points or 3GPP interfaces on the mobile network that you want the firewall to secure.
GTPv1-C is used on Gn and Gp interfaces of the UMTS and GPRS. GTPv2-C is used across various Evolved Packet Core (EPC) signaling interfaces such as S5, S8, S11, S3. GTP-U is used across various EPC signaling interfaces such as S1-U, S5, S8, S4, and on Gn and Gp interfaces of the UMTS and GPRS.
To inspect GTP traffic, you can deploy the firewall for Roaming, Radio Access Network (RAN), or for Non-3GPP access security. As a best practice, deploy the firewalls in an active/passive HA; active/active HA is not supported.
The topologies below reference the following mobile network nodes in the EPC—Mobility Management Entity (MME) that manages mobile device connection to LTE and other mobile networks; Serving Gateway (SGW) that routes the data packets, and the Packet Data Network Gateway (PGW) that connects the mobile user to external packet networks.
ran_security.png
When deployed for RAN security, the firewall inspects the traffic that traverses between the (BH) Backhaul and the EPC. The firewall is deployed mostly on S1-U and S11 interfaces to inspect both GTPv2-C and GTP-U traffic.
roaming_security.png
When deployed for Roaming security, the firewall inspects traffic that traverses across roaming partner networks. The firewalls is deployed between the core network in the home PLMN and the border gateway that connects to the GRX (GPRX Roaming Exchange) / IPX (Internet Packet Exchange).
non_3gpp_security.png
When deployed for Non-3GPP Access security, the firewall inspects the traffic that traverses between the non-3GPP access network and the EPC. The firewall is deployed mostly on S2b or S2a interfaces to inspect both GTPv2-C and GTP-U traffic.

Related Documentation