GTP Protection Profile
Use these fields to create a GTP Protection profile to define how the firewall inspects, validates, and filters GTP traffic.
The GTP Protection profile (ObjectsSecurity ProfilesGTP Protection) enables the firewall to inspect GTP traffic. The options in the profile allow you to enable stateful inspection of GTPv1-C and GTPv2-C, enable protocol validation for GTPv1-C, GTPv2-C, and GTP-U, and enable GTP-U content inspection to scan user data within GTP-U tunnels.
The options also allow you to filter GTP sessions based on APN, IMSI-Prefix, and RAT, and prevent end-user IP address spoofing to protect the mobile subscribers from being overbilled.
To Configure GTP Stateful Inspection, you must attach the GTP Protection profile to a Security policy rule for a zone.
Enabling Stateful Inspection for GTPv1-C and/or GTPv2-C automatically enables GTP-U stateful inspection.
You can specify the following validity checks for GTP-U payloads and Block or Alert upon a validity check failure:
You can also allow, block or alert on:
Enable GTP-U Content Inspection if you want to inspect and apply policy to the user data payload within a GTP-U packet. Inspecting GTP-U content allows you to correlate IMSI and IMEI information learned from GTP-C messages with the IP traffic encapsulated in GTP-U packets.
You don’t need a Tunnel Content Inspection policy to perform content inspection inside GTP-U tunnels if you use a GTP Protection profile and enable GTP-U Content Inspection.
By default all Radio Access Technologies (RAT) are allowed. GTP-C Create-PDP-Request and Create-Session-Request messages are filtered or allowed based on the RAT filter. You can specify whether to allow, block or alert on the following Remote Access Technologies (RAT) that the user equipment uses to access the mobile core network:
IMSI (International Mobile Subscriber Identity) is a unique identification associated with a subscriber in GSM, UMTS and LTE networks that is provisioned in the Subscriber Identity Module (SIM) card.
An IMSI is usually presented as a 15-digit number (8 bytes), but can be shorter. IMSI has three parts:
The IMSI Prefix combines the MCC and MNC and allows you to allow, block, or alert on GTP traffic from a specific PLMN. By default all IMSI are allowed.
You can either manually enter or import a csv file with IMSI or IMSI prefixes into the firewall. The IMSI can include a wildcard, for example, 310* or 240011*. The firewall supports a maximum of 5,000 IMSI or IMSI prefixes.
The Access Point Name (APN) is a reference to a GGSN/ PGW that a user equipment requires to connect to the internet. The APN is composed of two parts:
By default all APNs are allowed. The APN filter allows you to allow, block, or alert on GTP traffic based on the APN value. GTP-C Create-PDP-Request and Create-Session-Request messages are filtered or allowed based on the rules defined for APN filtering.
You can manually add or import an APN filtering list into the firewall. The value for the APN must include the network ID or the domain name of the network (for example, example.com) and, optionally, the operator ID.
For APN filtering, the wildcard (*) allows you to match for all APN. A combination of * and other characters is not supported for wildcards. For example, internet.mnc* will be treated as regular APN and will not filter all entries that start with internet.mnc.
The firewall supports a maximum of 1,000 APN filters.
|GTP Tunnel Limit|
|Max Concurrent Tunnels Allowed per Destination|
Allows you to limit the maximum number of GTP-U tunnels to a destination IP address, for example, to the GGSN. Range: 0 to 100,000,000 tunnels.
|Alert at Max Concurrent Tunnels per Destination|
Specify the threshold at which the firewall triggers an alert when the maximum number of GTP-U tunnels to a destination has been established. A GTP log message of high severity is generated when the configured tunnel limit is reached.
The number of events that the firewall counts before it generates a log when the configured GTP tunnel limits are exceeded. This setting allows you to reduce the volume of messages logged. Default: 100; range: 1 to 100,000,000
Select the virtual system that serves as the Gi/ SGi firewall on your firewall. The Gi/ SGi firewall inspects the mobile subscriber IP traffic traversing the Gi/ SGi interface from the PGW/ GGSN to the external PDN (packet data network) such as the internet and secures internet access for mobile subscribers.
Overbilling can occur when a GGSN assigns a previously used IP address from the End User IP address pool to a mobile subscriber. When a malicious server on the internet continues to send packets to this IP address as it did not close the session initiated for the previous subscriber and the session is still open on the Gi Firewall. To disallow data from being delivered, whenever a GTP tunnel is deleted (detected by delete-PDP or delete-session message) or timed-out, the firewall enabled for overbilling protection notifies the Gi/ SGi firewall to delete all the sessions that belong to the subscriber from the session table. GTP Security and SGi/ Gi firewall should be configured on the same physical firewall, but can be in different virtual systems.
In order to delete sessions based on GTP-C events, the firewall needs to have all the relevant session information and this is possible only when you manage traffic from the SGi + S11 or S5 interfaces for GTPv2 and Gi + Gn interfaces for GTPv1 in the mobile core network.
|Other Log Settings|
By default the firewall does not log allowed GTP messages. You should be selective if you enable logging of GTP Allowed Messages for troubleshooting when needed, because such logging will generate a high volume of logs. In addition to logging Allowed Messages, this tab also allows you to selectively enable logging of user location information.
|GTPv1-C Allowed Messages|
Allows you to selectively enable logging of allowed GTPv1-C messages, if you have enabled Stateful Inspection for GTPv1-C. These messages generate logs to help you troubleshoot issues as needed. By default, the firewall does not log allowed messages. The logging options for allowed GTPv1-C messages are:
|Log User Location|
Allows you to include the user location information (as area code and Cell ID) in GTP logs.
|GTPv2-C Allowed Messages|
Allows you to selectively enable logging of the allowed GTPv2-C messages, if you have enabled Stateful Inspection for GTPv2-C. These messages generate logs to help you troubleshoot issues as needed. By default, the firewall does not log allowed messages. The logging options for allowed GTPv2-C messages are:
|GTP-U Allowed Messages|
Allows you to selectively enable logging of the allowed GTP-U messages, if you have enabled Stateful Inspection for GTPv2-C and/or GTPv1-C. These messages generate logs to help you troubleshoot issues as needed.
The logging options for allowed GTP-U messages are:
|G-PDU Packets Logged per New GTP-U Tunnel|
Enable this option to verify that the firewall is inspecting GTP-U PDUs. The firewall generates a log for the specified number of G-PDU packets in each new GTP-U tunnel. Range is 1 to 10; default is 1.
Enable this log setting to capture a GTP packet that is any of the following types of GTP event:
Objects > Security Profiles > GTP Protection
Objects > Security Profiles > GTP Protection The GTP Protection profile enables the firewall to inspect GTP traffic. To view this profile, you must enable ...
GTP Event Types and Severity
GTP events have categorized by their severity; the firewall generates GTP logs when GTP events occur. ...
Get a Packet Capture of a GTP Event
Get a packet capture of a GTP event, such as GTP-in-GTP, to troubleshoot an abnormal GTP packet. ...
View GTP Logs
View GTP logs to gain visibility into the traffic that mobile subscribers generate. ...
Cellular Internet of Things (CIoT) security allows you to secure CIoT traffic, gain visibility into CIoT and device-to-device traffic, and support 3GPP Release 15 protocols. ...
GPRS Tunneling Protocol (GTP)
The overview page for GTP content including navigation links for everything about GTP. ...
Configure GTP Stateful Inspection
Enable GTP security, configure a GTP Protection profile, and attach the profile to a Security policy rule to secure GTP traffic. ...