All VM-Series firewall models and the
PA-5200 Series firewalls support GTP Security. When deploying the
Palo Alto Networks firewall to inspect GTP traffic you must determine the
connection points or 3GPP interfaces on the mobile network that
you want the firewall to secure.
GTPv1-C is used on Gn and Gp interfaces of the
UMTS and GPRS. GTPv2-C is used across various Evolved Packet Core
(EPC) signaling interfaces such as S5, S8, S11, S3. GTP-U is used across
various EPC signaling interfaces such as S1-U, S5, S8, S4, and on
Gn and Gp interfaces of the UMTS and GPRS.
To inspect GTP traffic, you can deploy the firewall
for Roaming, Radio Access Network (RAN), or for Non-3GPP access
security. As a best practice, deploy the firewalls in an active/passive HA;
active/active HA is not supported.
The topologies below reference the following mobile
network nodes in the EPC—Mobility Management Entity (MME) that manages
mobile device connection to LTE and other mobile networks; Serving
Gateway (SGW) that routes the data packets, and the Packet Data
Network Gateway (PGW) that connects the mobile user to external
When deployed for RAN security, the firewall inspects the traffic
that traverses between the (BH) Backhaul and the EPC. The firewall
is deployed mostly on S1-U and S11 interfaces to inspect both GTPv2-C
and GTP-U traffic.
When deployed for Roaming security, the firewall inspects traffic
that traverses across roaming partner networks. The firewalls is
deployed between the core network in the home PLMN and the border
gateway that connects to the GRX (GPRX Roaming Exchange) / IPX (Internet
When deployed for Non-3GPP Access security, the firewall inspects
the traffic that traverses between the non-3GPP access network and
the EPC. The firewall is deployed mostly on S2b or S2a interfaces
to inspect both GTPv2-C and GTP-U traffic.