Fortinet black logo

Handbook

APN filtering options

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:705878
Download PDF

APN filtering options

An Access Point Name (APN) is an Information Element (IE) included in the header of a GTP packet. It provides information on how to reach a network.

An APN has the following format:

<network_id>[.mnc<mnc_int>.mcc<mcc_int>.gprs]

Where:

  • <network_id> is a network identifier or name that identifies the name of a network, for example, example.com or internet.
  • [.mnc<mnc_int>.mcc<mcc_int>.gprs] is the optional operator identifier that uniquely identifies the operator’s PLMN, for example mnc123.mcc456.gprs.

Combining these two examples results in a complete APN of internet.mnc123.mcc456.gprs.

By default, the unit permits all APNs. However, you can configure APN filtering to restrict roaming subscribers' access to external networks.

APN filtering applies only to the GTP create pdp request messages. The unit inspects GTP packets for both APN and selected modes. If both parameters match and APN filter entry, the unit applies the filter to the traffic.

Additionally, the unit can filter GTP packets based on the combination of an IMSI prefix and an APN.

caution icon You cannot add an APN when creating a new profile.
APN Filtering
Enable APN Filter Select to enable APN filtering.
Default APN Action Select the default action for APN filtering. If you select Allow, all sessions are allowed except those blocked by individual APN filters. If you select Deny, all sessions are blocked except those allowed by individual APN filters.
Value The APN to be filtered.
Mode The type of mode chosen that indicates where the APN originated and whether the Home Location Register (HLR) has verified the user subscription:
Action The type of action that will be taken.
Edit Modifies the settings within the filter. When you select Edit, the Edit window appears, which allows you to modify the settings of the APN.
Delete Removes the APN from the list within the table, in the APN Filtering section.
Add APN Adds a new APN filter to the list. When you select Add APN, the New window appears, which allows you to configure the APN settings.
New APN page
Value Enter an APN to be filtered. You can include wild cards to match multiple APNs. For example, the value internet* would match all APNs that being with internet.
Mode Select one or more of the available modes to indicate where the APN originated and whether the Home Location Register (HLR) has verified the user subscription.
Mobile Station provided MS-provided APN, subscription not verified, indicates that the mobile station (MS) provided the APN and that the HLR did not verify the user's subscription to the network.
Network provided Network-provided APN, subscription not verified, indicates that the network provided a default APN because the MS did not specify one, and that the HLR did not verify the user's subscription to the network.
Subscription Verified MS or Network-provided APN, subscription verified, indicates that the MS or the network provided the APN and that the HLR verified the user's subscription to the network
Action Select Allow or Deny.

APN filtering options

An Access Point Name (APN) is an Information Element (IE) included in the header of a GTP packet. It provides information on how to reach a network.

An APN has the following format:

<network_id>[.mnc<mnc_int>.mcc<mcc_int>.gprs]

Where:

  • <network_id> is a network identifier or name that identifies the name of a network, for example, example.com or internet.
  • [.mnc<mnc_int>.mcc<mcc_int>.gprs] is the optional operator identifier that uniquely identifies the operator’s PLMN, for example mnc123.mcc456.gprs.

Combining these two examples results in a complete APN of internet.mnc123.mcc456.gprs.

By default, the unit permits all APNs. However, you can configure APN filtering to restrict roaming subscribers' access to external networks.

APN filtering applies only to the GTP create pdp request messages. The unit inspects GTP packets for both APN and selected modes. If both parameters match and APN filter entry, the unit applies the filter to the traffic.

Additionally, the unit can filter GTP packets based on the combination of an IMSI prefix and an APN.

caution icon You cannot add an APN when creating a new profile.
APN Filtering
Enable APN Filter Select to enable APN filtering.
Default APN Action Select the default action for APN filtering. If you select Allow, all sessions are allowed except those blocked by individual APN filters. If you select Deny, all sessions are blocked except those allowed by individual APN filters.
Value The APN to be filtered.
Mode The type of mode chosen that indicates where the APN originated and whether the Home Location Register (HLR) has verified the user subscription:
Action The type of action that will be taken.
Edit Modifies the settings within the filter. When you select Edit, the Edit window appears, which allows you to modify the settings of the APN.
Delete Removes the APN from the list within the table, in the APN Filtering section.
Add APN Adds a new APN filter to the list. When you select Add APN, the New window appears, which allows you to configure the APN settings.
New APN page
Value Enter an APN to be filtered. You can include wild cards to match multiple APNs. For example, the value internet* would match all APNs that being with internet.
Mode Select one or more of the available modes to indicate where the APN originated and whether the Home Location Register (HLR) has verified the user subscription.
Mobile Station provided MS-provided APN, subscription not verified, indicates that the mobile station (MS) provided the APN and that the HLR did not verify the user's subscription to the network.
Network provided Network-provided APN, subscription not verified, indicates that the network provided a default APN because the MS did not specify one, and that the HLR did not verify the user's subscription to the network.
Subscription Verified MS or Network-provided APN, subscription verified, indicates that the MS or the network provided the APN and that the HLR verified the user's subscription to the network
Action Select Allow or Deny.