Enabling GTP security on Palo Alto Networks firewalls allows
you to protect the mobile core network infrastructure from malformed
GTP packets, denial of service attacks, and out-of-state GTP messages,
and also allows you to protect mobile subscribers from spoofed IP
packets and overbilling attacks.
The firewall does not currently support GTP Security on S3
and S4 interfaces.
GTPv1-C is defined in 3GPP TS 29.060. It is used on a Gn interface,
that is, the interface between GPRS support nodes (GSNs) within
a public land mobile network (PLMN), and also across a Gp interface
between GSNs in different PLMNs. It is also used for roaming and
inter access mobility between Gn/Gp SGSNs and mobility management
entities (MMEs). GTPv1-C carries various types of control plane
signaling messages. The registered port number for GTPv1-C is 2123.
GTPv2-C is defined in 3GPP TS 29.274. It is used on various EPC
(Evolved Packet Core) signaling interfaces, such as S5, S8, and
S11. GTPv2-C carries various types of control plane signaling messages.
The registered port number for GTPv2-C is 2123.
GTP-U is defined in 3GPP TS 29.281. It encapsulates and routes
user plane traffic across multiple signaling interfaces such as
S1, S5, and S8. GTP-U messages are either user plane or signaling
messages. The registered port number for GTP-U is 2152.
NAT is not supported for GTP tunnel IP addresses with GTP stateful