GTP logs are event-based logs that include
information on the a wide range of GTP attributes including GTP
event type, GTP message type, GTP event code, GTP interface, Tunnel
ID, IMSI, the end-user IP address, in addition to the TCP/IP information
that the next-generation firewall identifies such as application,
source and destination address, timestamp.
GTP logs along with traffic,
threat, URL filtering, and WildFire Submissions logs (if you have
enabled GTP-U content inspection) give you visibility into the data
(IP packet encapsulated in GTP-U packet) traffic generated by individual
mobile subscribers. The IP address assigned to a mobile subscriber
is dynamic and can change whenever the user equipment is powered
on or off, or when the user equipment attaches to a different packet
gateway on the same PLMN or different PLMN (when the subscriber
is roaming). To identify the mobile subscriber who generated the
traffic, you need a way to associate the IP address with a unique
attribute for each subscriber. With stateful GTP-C inspection and
GTP-U content inspection, you can correlate the unique identity
(IMSI and IMEI) for each subscriber along with the dynamically assigned
subscriber's IP address, and this association make it possible to
identify the (GTP-U) traffic generated by each mobile subscriber.
View GTP logs. Select
The screenshot in this example filters out logs that are of informational
severity. Click the spyglass icon beside an entry to view additional
details about the session.
Filter for mobile subscriber traffic using IMSI or IMEI
in traffic, threat, URL Filtering, Data Filtering, WildFire Submisssions,
or Unified logs. The screenshot displays critical severity events
Threat logs for all IMSI values.