GTP Deployments

GTP deployments on a Palo Alto Networks firewall includes RAN security, roaming security, and Non-3GPP Access security.
All VM-Series firewall models and the PA-5200 Series firewalls support GTP Security. When deploying the Palo Alto Networks firewall to inspect GTP traffic, you must determine the connection points or 3GPP interfaces on the mobile network that you want the firewall to secure. GTPv1-C is used on Gn and Gp interfaces of the Universal Mobile Telecommunication System (UMTS) and GPRS. GTPv2-C is used across various Evolved Packet Core (EPC) signaling interfaces, such as S5, S8, and S11. GTP-U is used across various EPC signaling interfaces, such as S1-U, S5, and S8, and on Gn and Gp interfaces of the UMTS and GPRS.
To inspect GTP traffic, you can deploy the firewall for roaming, Radio Access Network (RAN), or Non-3GPP Access security. As a best practice, deploy the firewalls in an active/passive HA; active/active HA is not supported. The topologies below reference the following mobile network nodes in the EPC—Mobility Management Entity (MME) that manages the mobile device connection to Long-Term Evolution (LTE) and other mobile networks; Serving Gateway (SGW) that routes the data packets, and the Packet Data Network Gateway (PGW) that connects the mobile user to external packet networks.
When you deploy a firewall for RAN security, the firewall inspects the traffic that flows between the (BH) Backhaul and the EPC. The firewall is deployed mostly on S1-U and S11 interfaces to inspect both GTPv2-C and GTP-U traffic. When you configure GTP security for RAN, as a best practice you should also configure SCTP security for RAN as described in SCTP Use Cases.
When you deploy a firewall for Roaming security, the firewall inspects traffic that flows between roaming partner networks. The firewall is deployed between the core network in the home PLMN and the border gateway that connects to the GRX (GPRX Roaming Exchange) / IPX (Internet Packet Exchange). When you configure GTP security for roaming, as a best practice you should also configure SCTP security for roaming as described in SCTP Use Cases.
When you deploy a firewall for Non-3GPP Access security, the firewall inspects the traffic that flows between the Non-3GPP Access network and the EPC. The firewall is deployed mostly on S2b or S2a interfaces to inspect both GTPv2-C and GTP-U traffic.

Recommended For You