GTP deployments on a Palo Alto Networks firewall include cellular IoT security.
CIoT security allows you to protect your mobile network and CIoT traffic from attacks and to have visibility into CIoT communications over your network. If you are a mobile network operator (MNO) or a mobile virtual network operator (MVNO), for example, a utility company focusing on oil, gas, or energy operating as an MVNO, you can use CIoT security to secure CIoT traffic. The firewall supports CIoT technologies (S11-U tunnels and narrow-band IoT [NB-IoT]). The firewall also supports logging of Remote UE identifiers using Proximity Service (ProSe) with device-to-device (D2D) communications over air interfaces in your network. The logging is especially helpful in Public Safety use cases.
CIoT security includes:
- Support for CIoT Evolved Packet System (EPS) optimization:
- GTP Stateful Inspection of S11 and S11-U tunnels
- GTP-U Content Inspection of S11-U tunnels (inspect the content of inner IP sessions of S11 GTP-U tunnels)
- Filtering traffic from IoT devices that connect a mobile network using EUTRAN-NB-IoT (Radio Access Network for NB-IoT). For example, allowing only devices that use NB-IoT access to the network.
- Displaying and reporting on D2D (device-to-device) communication using Remote User ID (IMSI) and Remote User IP when you monitor GTP or Unified Log messages, when you generate custom reports from the GTP Summary or GTP Detailed database, and when you forward GTP logs.
The CIoT security deployment illustrates the S11-U data tunnel, which carries encapsulated data messages using GTP-U. If mobile-originated or mobile-terminated data is transported in control plane CIoT EPS Optimization with PGW connectivity, the MME and SGW use an S11-U tunnel. Information in the GTP payload initiates the establishment of the S11-U tunnel; the Create Session Request and Response exchange between the MME and SGW establishes the S11-U tunnel without the need for a Modify Bearer Request and Response exchange to transfer downlink or uplink user data.
For use cases that involve less data (such as to or from an IoT device because IoT devices tend to send infrequent data), you can use an S11-U data tunnel to reduce the number of signaling messages exchanged on the network. You can inspect this data traffic by positioning a firewall between the MME and the SGW.
To protect your mobile network and CIoT traffic that use 3GPP technologies, follow the procedure to configure GTPv2-C Stateful Inspection to statefully inspect the S11-U tunnels. Create a GTP Protection Profile and enable GTP-U Content Inspection to inspect the content of the GTP-U traffic inside the S11-U tunnels. Attach the profile to a Security policy rule (that identifies the Application, such as gtpv2-c and gtp-u) and apply the rule to zones for network elements that use GTP, such as between an MME and SGW.
By enabling GTP-U Content Inspection, you can secure CIoT traffic by creating Security policy rules and applying the following security capabilities on IP traffic inside a GTP-U tunnel:
- Vulnerability Protection
- URL Filtering
- WildFire® Analysis
- Data Filtering
The source and destination zones of GTP-U inner IP sessions are the same zones as those for GTP-U outer sessions.
The firewall does not support Decryption of IP traffic inside GTP-U tunnels.
If you use narrow-band IoT (NB-IoT) as Radio Access Technology (RAT), your GTP Protection profile can filter GTP traffic generated for IoT devices and thus safely allow only EUTRAN-NB-IoT traffic for trusted services.
Cellular Internet of Things (CIoT) security allows you to secure CIoT traffic, gain visibility into CIoT and device-to-device traffic, and support 3GPP Release 15 protocols. ...
GPRS Tunneling Protocol (GTP)
The overview page for GTP content including navigation links for everything about GTP. ...
Content Inspection Features
Describes all the exciting new content inspection capabilities in PAN-OS® 9.0. ...
Get a Packet Capture of a GTP Event
Get a packet capture of a GTP event, such as GTP-in-GTP, to troubleshoot an abnormal GTP packet. ...
GTP Protection Profile
Use these fields to create a GTP Protection profile to define how the firewall inspects, validates, and filters GTP traffic. ...
GTP Event Types and Severity
GTP events have categorized by their severity; the firewall generates GTP logs when GTP events occur. ...
Objects > Security Profiles > GTP Protection
Objects > Security Profiles > GTP Protection The GTP Protection profile enables the firewall to inspect GTP traffic. To view this profile, you must enable ...
Configure GTP Stateful Inspection
Enable GTP security, configure a GTP Protection profile, and attach the profile to a Security policy rule to secure GTP traffic. ...
GTP deployments on a Palo Alto Networks firewall include RAN security, roaming security, Non-3GPP Access security, and cellular IoT security. ...