View GTP Logs

View GTP logs to gain visibility into the traffic that mobile subscribers generate.
GTP logs are event-based logs that include information on a wide range of GTP attributes, including GTP event type, GTP message type, GTP event code, GTP interface, Tunnel ID, IMSI, the end-user IP address, in addition to TCP/IP information that the next-generation firewall identifies, such as application, source and destination address, and timestamp. GTP logs, along with traffic, threat, URL filtering, and WildFire Submissions logs (if you have enabled GTP-U content inspection), give you visibility into the data (IP packet encapsulated in GTP-U packet) traffic generated by individual mobile subscribers.
The IP address assigned to a mobile subscriber is dynamic and can change whenever the user equipment is powered on or off, or when the user equipment attaches to a different packet gateway on the same PLMN or a different PLMN (when the subscriber is roaming). To identify the mobile subscriber who generated the traffic, you need a way to associate the IP address with a unique attribute for each subscriber. With stateful GTP-C inspection and GTP-U content inspection, you can correlate the unique identity (IMSI and IMEI) for each subscriber with the dynamically assigned subscriber's IP address, and this association makes it possible to identify the (GTP-U) traffic generated by each mobile subscriber.
  1. View GTP logs. Select
    Monitor
    Logs
    GTP
    . The screenshot in this example filters out logs that are of informational severity. Click the spyglass icon beside an entry to view additional details about the session.
    gtp_logs.png
  2. Filter for mobile subscriber traffic using IMSI or IMEI in traffic, threat, URL Filtering, Data Filtering, WildFire Submisssions, or Unified logs. The screenshot displays critical severity events Threat logs for all IMSI values.
    threat_imsi.png

Related Documentation