GTP logs are event-based logs that include information on the a wide range of GTP attributes including GTP event type, GTP message type, GTP event code, GTP interface, Tunnel ID, IMSI, the end-user IP address, in addition to the TCP/IP information that the next-generation firewall identifies such as application, source and destination address, timestamp.

GTP logs along with traffic, threat, URL filtering, and WildFire Submissions logs (if you have enabled GTP-U content inspection) give you visibility into the data (IP packet encapsulated in GTP-U packet) traffic generated by individual mobile subscribers. The IP address assigned to a mobile subscriber is dynamic and can change whenever the user equipment is powered on or off, or when the user equipment attaches to a different packet gateway on the same PLMN or different PLMN (when the subscriber is roaming). To identify the mobile subscriber who generated the traffic, you need a way to associate the IP address with a unique attribute for each subscriber. With stateful GTP-C inspection and GTP-U content inspection, you can correlate the unique identity (IMSI and IMEI) for each subscriber along with the dynamically assigned subscriber's IP address, and this association make it possible to identify the (GTP-U) traffic generated by each mobile subscriber.