Configure GTP Stateful Inspection

Enable GTP security, configure a GTP Protection profile, and attach the profile to a Security policy rule to secure GTP traffic.
GTP comprises three types of traffic—control plane (GTP-C), user plane (GTP-U), and charging (GTP’ derived from GTP-C) traffic. Enabling GTP security on the Palo Alto Networks firewall allows you to statefully inspect, validate, filter, and perform security checks on GTPv2-C, GTPv1-C and GTP-U protocol messages.
Use the following workflow to enable stateful inspection and protocol validation for GTPv1-C, GTPv2-C, and GTP-U traffic. In addition, you can configure the firewall to inspect GTP-U content, filter GTP outer sessions based on APN, IMSI-Prefix and RAT, and enable overbilling protection for mobile subscribers. After you enable GTP, the options for configuring GTP security and monitoring GTP traffic become available on the firewall. Firewalls securing GTP traffic can be deployed in an active/passive HA; active/active HA is not supported.
  1. Enable GTP Security.
    1. Log in to the firewall web interface.
    2. Select
      Device
      Setup
      Management
      General Settings
      . Select
      GTP Security
      .
    3. Click
      OK
      .
    4. Commit
      the change.
    5. Select
      Device
      Setup
      Operations
      and
      Reboot Device
      .
      Enabling or disabling GTP Security requires a commit and a reboot; the best practice is to commit and reboot at this point. After you enable GTP Security, the options for configuring and monitoring GTP traffic become available on the firewall. If you disable GTP Security, you must also Commit your change and reboot the firewall. After you disable GTP Security, the firewall does not perform GTP stateful inspection, but still checks GTP packets against Security policy rules and still applies App-ID.
  2. (
    Optional
    ) Beginning with PAN-OS 9.0.5, you can gracefully enable GTP stateful inspection to minimize disruption when you deploy a new firewall or migrate GTP traffic.
    1. >
      set gtp nodrop yes
      The firewall continues to perform GTP stateful inspection and generate logs, but won’t drop GTPv2, GTPv1-C, or GTP-U packets that fail GTP stateful inspection. When you later decide to re-enable the firewall to drop packets that fail GTP stateful inspection, use the CLI operational command:
      set gtp nodrop no
      (this is the default setting).
    2. >
      show gtp info
      The firewall displays whether GTP stateful inspection is gracefully enabled (
      gtp no drop: True
      ) or not (
      gtp no drop: False
      ).
  3. Create a GTP Protection profile to inspect GTP traffic.
    1. Select
      Objects
      Security Profiles
      GTP Protection
      and
      Add
      a new profile.
    2. Give the profile a descriptive
      Name
      .
    3. If the firewall is in Multiple Virtual System Mode, enable the profile to be
      Shared
      by all virtual systems.
    4. Set up GTP Protection Profile for the GTP version(s) you want to inspect and configure the available options for filtering, overbilling protection, and logging GTP messages for your compliance and troubleshooting needs.
  4. Create a Security policy rule to allow GTP traffic on your network.
    1. Select
      Policies
      Security
      and
      Add
      a descriptive
      Name
      for the rule in the
      General
      tab.
    2. In the
      Source
      tab,
      Add
      the
      Source Zone
      .
    3. In the
      Destination
      tab,
      Add
      the
      Destination Zone
      .
      Restrict access to specific components in the EPC network; consider using address objects in the
      Destination Address
      field to enable access to specific IP addresses.
    4. In the
      Application
      tab,
      Add
      the applications that correspond to the network services you want to safely allow. For example, select
      gtp-v1
      ,
      gtp-v2
      , and
      gtp-u
      . Make sure to select the applications you enabled for inspection in the GTP Protection profile.
    5. In the
      Service/URL Category
      tab, change the
      Service
      from
      application-default
      to
      any
      .
    6. In the
      Actions
      tab, set the
      Action
      to
      Allow
      .
    7. Attach the GTP Protection profile to the Security policy rule. For
      Profile Type
      , select
      Profiles
      and select the GTP Protection profile you set up earlier.
    8. Verify that
      Log at Session End
      is enabled. GTP session start and GTP session end events are logged only when you enable
      Log at Session Start
      and
      Log at Session End
      in a Security policy rule. The session start and session end logs are available under
      Monitor
      Logs
      GTP
      . All other GTP events are logged based on the settings you enabled in the GTP Protection profile and are also available under
      Monitor
      Logs
      GTP
      .
      By default, the log storage quota for GTP is 2% of the total log storage capacity for the firewall model. Because GTP logs are high volume, increase the log quota (
      Device
      Setup
      Management
      ) or set up log forwarding to an external server.
    9. Click
      OK
      .
  5. (
    Optional
    ) Block GTPv0 traffic coming into your network. Add a Security policy rule to deny application
    gtpv0
    . 3GPP recommends that a GTPv2 or GTPv1 entity that listens to the GTPv0 port should silently discard any GTPv0 messages it receives. The 3GPP Rel-8 GTPv1 specification removed support for GTPv1 to GTPv0 interworking; hence, a Palo Alto Networks firewall does not support stateful inspection of GTPv0 traffic.
  6. Commit
    your policies to the running configuration on the firewall.
  7. Monitor GTP Traffic to verify that you set up GTP inspection effectively for your visibility and logging needs, and to view the GTP traffic in your network.

Recommended For You