Fortinet black logo

CLI Reference

firewall gtp

firewall gtp

Use this FortiOS Carrier command to configure firewall GTP options.

config firewall gtp
    edit {name}
    # Configure GTP.
        set name {string}   Profile name. size[63]
        set comment {string}   Comment. size[255]
        set remove-if-echo-expires {enable | disable}   remove if echo response expires
        set remove-if-recovery-differ {enable | disable}   remove upon different Recovery IE
        set send-delete-when-timeout {enable | disable}   send DELETE request to path endpoints when GTPv0/v1 tunnel timeout.
        set send-delete-when-timeout-v2 {enable | disable}   send DELETE request to path endpoints when GTPv2 tunnel timeout.
        set gtp-in-gtp {allow | deny}   gtp in gtp
                allow  Allow setting.
                deny   Deny setting.
        set unknown-version-action {allow | deny}   action for unknown gtp version
                allow  Allow setting.
                deny   Deny setting.
        set min-message-length {integer}   min message length range[0-4294967295]
        set max-message-length {integer}   max message length range[0-4294967295]
        set control-plane-message-rate-limit {integer}   control plane message rate limit range[0-4294967295]
        set rate-sampling-interval {integer}   rate sampling interval (1-3600 seconds) range[1-3600]
        set echo-request-interval {integer}   echo request interval (in seconds) range[0-4294967295]
        set user-plane-message-rate-limit {integer}   user plane message rate limit range[0-4294967295]
        set tunnel-limit {integer}   tunnel limit range[0-4294967295]
        set global-tunnel-limit {string}   Global tunnel limit. size[63] - datasource(s): gtp.tunnel-limit.name
        set tunnel-timeout {integer}   Established tunnel timeout (in seconds). range[0-4294967295]
        set half-open-timeout {integer}   Half-open tunnel timeout (in seconds). range[1-300]
        set half-close-timeout {integer}   Half-close tunnel timeout (in seconds). range[1-30]
        set default-apn-action {allow | deny}   default apn action
                allow  Allow setting.
                deny   Deny setting.
        set default-imsi-action {allow | deny}   default imsi action
                allow  Allow setting.
                deny   Deny setting.
        set default-policy-action {allow | deny}   default advanced policy action
                allow  Allow setting.
                deny   Deny setting.
        set default-ip-action {allow | deny}   default action for encapsulated IP traffic
                allow  Allow setting.
                deny   Deny setting.
        set default-noip-action {allow | deny}   default action for encapsulated non-IP traffic
                allow  Allow setting.
                deny   Deny setting.
        set apn-filter {enable | disable}   apn filter
        set imsi-filter {enable | disable}   imsi filter
        set policy-filter {enable | disable}   Advanced policy filter
        set ie-remover {enable | disable}   IE removal policy.
        set ip-filter {enable | disable}   IP filter for encapsulted traffic
        set noip-filter {enable | disable}   non-IP filter for encapsulted traffic
        set monitor-mode {enable | disable}   GTP monitor mode
        set forwarded-log {enable | disable}   log forwarded
        set denied-log {enable | disable}   log denied
        set rate-limited-log {enable | disable}   log rate limited
        set state-invalid-log {enable | disable}   log state invalid
        set tunnel-limit-log {enable | disable}   tunnel limit
        set extension-log {enable | disable}   log in extension format
        set traffic-count-log {enable | disable}   log tunnel traffic counter
        set log-freq {integer}   Logging of frequency of GTP-C packets. range[0-4294967295]
        set gtpu-forwarded-log {enable | disable}   Enable/disable logging of forwarded GTP-U packets.
        set gtpu-denied-log {enable | disable}   Enable/disable logging of denied GTP-U packets.
        set gtpu-log-freq {integer}   Logging of frequency of GTP-U packets. range[0-4294967295]
        set log-gtpu-limit {integer}   the user data log limit (0-512 bytes) range[0-512]
        set log-imsi-prefix {string}   IMSI prefix for selective logging. size[15]
        set log-msisdn-prefix {string}   the msisdn prefix for selective logging size[15]
        set invalid-reserved-field {allow | deny}   Invalid reserved field in GTP header
                allow  Allow setting.
                deny   Deny setting.
        set reserved-ie {allow | deny}   reserved information element
                allow  Allow setting.
                deny   Deny setting.
        set miss-must-ie {allow | deny}   Missing mandatory information element
                allow  Allow setting.
                deny   Deny setting.
        set out-of-state-message {allow | deny}   Out of state GTP message
                allow  Allow setting.
                deny   Deny setting.
        set out-of-state-ie {allow | deny}   Out of state information element.
                allow  Allow setting.
                deny   Deny setting.
        set spoof-src-addr {allow | deny}   Spoofed source address for Mobile Station.
                allow  Allow setting.
                deny   Deny setting.
        set handover-group {string}   Handover SGSN group size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
        set authorized-sgsns {string}   Authorized SGSN group size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
        set invalid-sgsns-to-log {string}   Invalid SGSN group to be logged size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
        set authorized-ggsns {string}   Authorized GGSN group size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
        config apn
            edit {id}
            # APN.
                set id {integer}   ID. range[0-4294967295]
                config apnmember
                    edit {name}
                    # APN member.
                        set name {string}   APN name. size[64] - datasource(s): gtp.apn.name,gtp.apngrp.name
                    next
                set action {allow | deny}   Action.
                        allow  Allow setting.
                        deny   Deny setting.
                set selection-mode {ms | net | vrf}   APN selection mode.
                        ms   Mobile Station provided APN.
                        net  Network provided APN.
                        vrf  Subscription verified.
            next
        config imsi
            edit {id}
            # IMSI.
                set id {integer}   ID. range[0-4294967295]
                set mcc-mnc {string}   MCC MNC. size[15]
                set msisdn-prefix {string}   MSISDN prefix. size[15]
                config apnmember
                    edit {name}
                    # APN member.
                        set name {string}   APN name. size[64] - datasource(s): gtp.apn.name,gtp.apngrp.name
                    next
                set action {allow | deny}   Action.
                        allow  Allow setting.
                        deny   Deny setting.
                set selection-mode {ms | net | vrf}   APN selection mode.
                        ms   Mobile Station provided APN.
                        net  Network provided APN.
                        vrf  Subscription verified.
            next
        config policy
            edit {id}
            # Policy.
                set id {integer}   ID. range[0-4294967295]
                config apnmember
                    edit {name}
                    # APN member.
                        set name {string}   APN name. size[64] - datasource(s): gtp.apn.name,gtp.apngrp.name
                    next
                set messages {create-req | create-res | update-req | update-res}   GTP messages.
                        create-req  Create PDP context request.
                        create-res  Create PDP context response.
                        update-req  Update PDP context request.
                        update-res  Update PDP context response.
                set apn-sel-mode {ms | net | vrf}   APN selection mode.
                        ms   Mobile Station provided APN.
                        net  Network provided APN.
                        vrf  Subscription verified.
                set max-apn-restriction {option}   Maximum APN restriction value.
                        all        All.
                        public-1   Public-1.
                        public-2   Public-2.
                        private-1  Private-1.
                        private-2  Private-2.
                set imsi {string}   IMSI prefix. size[15]
                set msisdn {string}   MSISDN prefix. size[15]
                set rat-type {option}   RAT Type.
                        any    Any RAT.
                        utran  UTRAN.
                        geran  GERAN.
                        wlan   WLAN.
                        gan    GAN.
                        hspa   HSPA.
                set rai {string}   RAI pattern. size[40]
                set uli {string}   ULI pattern. size[40]
                set imei {string}   IMEI(SV) pattern. size[40]
                set action {allow | deny}   Action.
                        allow  Allow setting.
                        deny   Deny setting.
            next
        set addr-notify {ipv4 address any}   overbilling notify address
        set port-notify {integer}   overbilling notify port range[0-65535]
        set interface-notify {string}   overbilling interface size[15] - datasource(s): system.interface.name
        set context-id {integer}   Overbilling context. range[0-4294967295]
        config ie-remove-policy
            edit {id}
            # IE remove policy.
                set id {integer}   ID. range[0-4294967295]
                set sgsn-addr {string}   SGSN address name. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
                set remove-ies {option}   GTP IEs to be removed.
                        apn-restriction  APN Restriction.
                        rat-type         RAT Type.
                        rai              RAI.
                        uli              ULI.
                        imei             IMEI.
            next
        config ip-policy
            edit {id}
            # IP policy.
                set id {integer}   ID. range[0-4294967295]
                set srcaddr {string}   Source address name. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
                set dstaddr {string}   Destination address name. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
                set action {allow | deny}   Action.
                        allow  Allow setting.
                        deny   Deny setting.
            next
        config noip-policy
            edit {id}
            # No IP policy.
                set id {integer}   ID. range[0-4294967295]
                set type {etsi | ietf}   Protocol field type.
                        etsi  ESTI.
                        ietf  IETF.
                set start {integer}   Start of protocol range (0 - 255). range[0-255]
                set end {integer}   End of protocol range (0 - 255). range[0-255]
                set action {allow | deny}   Action.
                        allow  Allow setting.
                        deny   Deny setting.
            next
        set message-filter-v0v1 {string}   Message filter. size[63] - datasource(s): gtp.message-filter-v0v1.name
        set message-filter-v2 {string}   Message filter. size[63] - datasource(s): gtp.message-filter-v2.name
        set ie-white-list-v0v1 {string}   IE white list. size[63] - datasource(s): gtp.ie-white-list.name
        set ie-white-list-v2 {string}   IE white list. size[63] - datasource(s): gtp.ie-white-list.name
        config ie-validation
            set imsi {enable | disable}   Validate IMSI.
            set rai {enable | disable}   Validate RAI.
            set reordering-required {enable | disable}   Validate re-ordering required.
            set ms-validated {enable | disable}   Validate MS validated.
            set selection-mode {enable | disable}   Validate selection mode.
            set nsapi {enable | disable}   Validate NSAPI.
            set charging-ID {enable | disable}   Validate charging ID.
            set end-user-addr {enable | disable}   Validate end user address.
            set mm-context {enable | disable}   Validate MM context.
            set pdp-context {enable | disable}   Validate PDP context.
            set gsn-addr {enable | disable}   Validate GSN address.
            set msisdn {enable | disable}   Validate MSISDN.
            set qos-profile {enable | disable}   Validate Quality of Service(QoS) profile.
            set apn-restriction {enable | disable}   Validate APN restriction.
            set rat-type {enable | disable}   Validate RAT type.
            set uli {enable | disable}   Validate user location information.
            set ms-tzone {enable | disable}   Validate MS time zone.
            set imei {enable | disable}   Validate IMEI(SV).
            set charging-gateway-addr {enable | disable}   Validate charging gateway address.
        config message-rate-limit
            set echo-request {integer}   Rate limit for echo requests (packets per second). range[0-4294967295]
            set echo-reponse {integer}   Rate limit for echo response (packets per second). range[0-4294967295]
            set version-not-support {integer}   Rate limit for version not supported (packets per second). range[0-4294967295]
            set create-pdp-request {integer}   Rate limit for create PDP context request (packets per second). range[0-4294967295]
            set create-pdp-response {integer}   Rate limit for create PDP context response (packets per second). range[0-4294967295]
            set update-pdp-request {integer}   Rate limit for update PDP context request (packets per second). range[0-4294967295]
            set update-pdp-response {integer}   Rate limit for update PDP context response (packets per second). range[0-4294967295]
            set delete-pdp-request {integer}   Rate limit for delete PDP context request (packets per second). range[0-4294967295]
            set delete-pdp-response {integer}   Rate limit for delete PDP context response (packets per second). range[0-4294967295]
            set create-aa-pdp-request {integer}   Rate limit for create AA PDP context request (packets per second). range[0-4294967295]
            set create-aa-pdp-response {integer}   Rate limit for create AA PDP context response (packets per second). range[0-4294967295]
            set delete-aa-pdp-request {integer}   Rate limit for delete AA PDP context request (packets per second). range[0-4294967295]
            set delete-aa-pdp-response {integer}   Rate limit for delete AA PDP context response (packets per second). range[0-4294967295]
            set error-indication {integer}   Rate limit for error indication (packets per second). range[0-4294967295]
            set pdu-notify-request {integer}   Rate limit for PDU notify request (packets per second). range[0-4294967295]
            set pdu-notify-response {integer}   Rate limit for PDU notify response (packets per second). range[0-4294967295]
            set pdu-notify-rej-request {integer}   Rate limit for PDU notify reject request (packets per second). range[0-4294967295]
            set pdu-notify-rej-response {integer}   Rate limit for PDU notify reject response (packets per second). range[0-4294967295]
            set support-ext-hdr-notify {integer}   Rate limit for support extension headers notification (packets per second). range[0-4294967295]
            set send-route-request {integer}   Rate limit for send routing information for GPRS request (packets per second). range[0-4294967295]
            set send-route-response {integer}   Rate limit for send routing information for GPRS response (packets per second). range[0-4294967295]
            set failure-report-request {integer}   Rate limit for failure report request (packets per second). range[0-4294967295]
            set failure-report-response {integer}   Rate limit for failure report response (packets per second). range[0-4294967295]
            set note-ms-request {integer}   Rate limit for note MS GPRS present request (packets per second). range[0-4294967295]
            set note-ms-response {integer}   Rate limit for note MS GPRS present response (packets per second). range[0-4294967295]
            set identification-request {integer}   Rate limit for identification request (packets per second). range[0-4294967295]
            set identification-response {integer}   Rate limit for identification response (packets per second). range[0-4294967295]
            set sgsn-context-request {integer}   Rate limit for SGSN context request (packets per second). range[0-4294967295]
            set sgsn-context-response {integer}   Rate limit for SGSN context response (packets per second). range[0-4294967295]
            set sgsn-context-ack {integer}   Rate limit for SGSN context acknowledgement (packets per second). range[0-4294967295]
            set fwd-relocation-request {integer}   Rate limit for forward relocation request (packets per second). range[0-4294967295]
            set fwd-relocation-response {integer}   Rate limit for forward relocation response (packets per second). range[0-4294967295]
            set fwd-relocation-complete {integer}   Rate limit for forward relocation complete (packets per second). range[0-4294967295]
            set relocation-cancel-request {integer}   Rate limit for relocation cancel request (packets per second). range[0-4294967295]
            set relocation-cancel-response {integer}   Rate limit for relocation cancel response (packets per second). range[0-4294967295]
            set fwd-srns-context {integer}   Rate limit for forward SRNS context (packets per second). range[0-4294967295]
            set fwd-reloc-complete-ack {integer}   Rate limit for forward relocation complete acknowledge (packets per second). range[0-4294967295]
            set fwd-srns-context-ack {integer}   Rate limit for forward SRNS context acknowledge (packets per second). range[0-4294967295]
            set ran-info {integer}   Rate limit for RAN information relay (packets per second). range[0-4294967295]
            set mbms-notify-request {integer}   Rate limit for MBMS notification request (packets per second). range[0-4294967295]
            set mbms-notify-response {integer}   Rate limit for MBMS notification response (packets per second). range[0-4294967295]
            set mbms-notify-rej-request {integer}   Rate limit for MBMS notification reject request (packets per second). range[0-4294967295]
            set mbms-notify-rej-response {integer}   Rate limit for MBMS notification reject response (packets per second). range[0-4294967295]
            set create-mbms-request {integer}   Rate limit for create MBMS context request (packets per second). range[0-4294967295]
            set create-mbms-response {integer}   Rate limit for create MBMS context response (packets per second). range[0-4294967295]
            set update-mbms-request {integer}   Rate limit for update MBMS context request (packets per second). range[0-4294967295]
            set update-mbms-response {integer}   Rate limit for update MBMS context response (packets per second). range[0-4294967295]
            set delete-mbms-request {integer}   Rate limit for delete MBMS context request (packets per second). range[0-4294967295]
            set delete-mbms-response {integer}   Rate limit for delete MBMS context response (packets per second). range[0-4294967295]
            set mbms-reg-request {integer}   Rate limit for MBMS registration request (packets per second). range[0-4294967295]
            set mbms-reg-response {integer}   Rate limit for MBMS registration response (packets per second). range[0-4294967295]
            set mbms-de-reg-request {integer}   Rate limit for MBMS de-registration request (packets per second). range[0-4294967295]
            set mbms-de-reg-response {integer}   Rate limit for MBMS de-registration response (packets per second). range[0-4294967295]
            set mbms-ses-start-request {integer}   Rate limit for MBMS session start request (packets per second). range[0-4294967295]
            set mbms-ses-start-response {integer}   Rate limit for MBMS session start response (packets per second). range[0-4294967295]
            set mbms-ses-stop-request {integer}   Rate limit for MBMS session stop request (packets per second). range[0-4294967295]
            set mbms-ses-stop-response {integer}   Rate limit for MBMS session stop response (packets per second). range[0-4294967295]
            set g-pdu {integer}   Rate limit for G-PDU (packets per second). range[0-4294967295]
        set rate-limit-mode {per-profile | per-stream | per-apn}   GTP rate limit mode.
                per-profile  Per-profile rate limiting.
                per-stream   Per-stream rate limiting.
                per-apn      Per-APN rate limiting.
        set warning-threshold {integer}   Warning threshold for rate limiting (0 - 99 percent). range[0-99]
        config message-rate-limit-v0
            set echo-request {integer}   Rate limit (packets/s) for echo request. range[0-4294967295]
            set create-pdp-request {integer}   Rate limit (packets/s) for create PDP context request. range[0-4294967295]
            set delete-pdp-request {integer}   Rate limit (packets/s) for delete PDP context request. range[0-4294967295]
        config message-rate-limit-v1
            set echo-request {integer}   Rate limit (packets/s) for echo request. range[0-4294967295]
            set create-pdp-request {integer}   Rate limit (packets/s) for create PDP context request. range[0-4294967295]
            set delete-pdp-request {integer}   Rate limit (packets/s) for delete PDP context request. range[0-4294967295]
        config message-rate-limit-v2
            set echo-request {integer}   Rate limit (packets/s) for echo request. range[0-4294967295]
            set create-session-request {integer}   Rate limit (packets/s) for create session request. range[0-4294967295]
            set delete-session-request {integer}   Rate limit (packets/s) for delete session request. range[0-4294967295]
        config per-apn-shaper
            edit {id}
            # Per APN shaper.
                set id {integer}   ID. range[0-4294967295]
                set apn {string}   APN name. size[63] - datasource(s): gtp.apn.name
                set version {integer}   GTP version number: 0 or 1. range[0-1]
                set rate-limit {integer}   Rate limit (packets/s) for create PDP context request. range[0-1000000]
            next
    next
end

firewall gtp

Use this FortiOS Carrier command to configure firewall GTP options.

config firewall gtp
    edit {name}
    # Configure GTP.
        set name {string}   Profile name. size[63]
        set comment {string}   Comment. size[255]
        set remove-if-echo-expires {enable | disable}   remove if echo response expires
        set remove-if-recovery-differ {enable | disable}   remove upon different Recovery IE
        set send-delete-when-timeout {enable | disable}   send DELETE request to path endpoints when GTPv0/v1 tunnel timeout.
        set send-delete-when-timeout-v2 {enable | disable}   send DELETE request to path endpoints when GTPv2 tunnel timeout.
        set gtp-in-gtp {allow | deny}   gtp in gtp
                allow  Allow setting.
                deny   Deny setting.
        set unknown-version-action {allow | deny}   action for unknown gtp version
                allow  Allow setting.
                deny   Deny setting.
        set min-message-length {integer}   min message length range[0-4294967295]
        set max-message-length {integer}   max message length range[0-4294967295]
        set control-plane-message-rate-limit {integer}   control plane message rate limit range[0-4294967295]
        set rate-sampling-interval {integer}   rate sampling interval (1-3600 seconds) range[1-3600]
        set echo-request-interval {integer}   echo request interval (in seconds) range[0-4294967295]
        set user-plane-message-rate-limit {integer}   user plane message rate limit range[0-4294967295]
        set tunnel-limit {integer}   tunnel limit range[0-4294967295]
        set global-tunnel-limit {string}   Global tunnel limit. size[63] - datasource(s): gtp.tunnel-limit.name
        set tunnel-timeout {integer}   Established tunnel timeout (in seconds). range[0-4294967295]
        set half-open-timeout {integer}   Half-open tunnel timeout (in seconds). range[1-300]
        set half-close-timeout {integer}   Half-close tunnel timeout (in seconds). range[1-30]
        set default-apn-action {allow | deny}   default apn action
                allow  Allow setting.
                deny   Deny setting.
        set default-imsi-action {allow | deny}   default imsi action
                allow  Allow setting.
                deny   Deny setting.
        set default-policy-action {allow | deny}   default advanced policy action
                allow  Allow setting.
                deny   Deny setting.
        set default-ip-action {allow | deny}   default action for encapsulated IP traffic
                allow  Allow setting.
                deny   Deny setting.
        set default-noip-action {allow | deny}   default action for encapsulated non-IP traffic
                allow  Allow setting.
                deny   Deny setting.
        set apn-filter {enable | disable}   apn filter
        set imsi-filter {enable | disable}   imsi filter
        set policy-filter {enable | disable}   Advanced policy filter
        set ie-remover {enable | disable}   IE removal policy.
        set ip-filter {enable | disable}   IP filter for encapsulted traffic
        set noip-filter {enable | disable}   non-IP filter for encapsulted traffic
        set monitor-mode {enable | disable}   GTP monitor mode
        set forwarded-log {enable | disable}   log forwarded
        set denied-log {enable | disable}   log denied
        set rate-limited-log {enable | disable}   log rate limited
        set state-invalid-log {enable | disable}   log state invalid
        set tunnel-limit-log {enable | disable}   tunnel limit
        set extension-log {enable | disable}   log in extension format
        set traffic-count-log {enable | disable}   log tunnel traffic counter
        set log-freq {integer}   Logging of frequency of GTP-C packets. range[0-4294967295]
        set gtpu-forwarded-log {enable | disable}   Enable/disable logging of forwarded GTP-U packets.
        set gtpu-denied-log {enable | disable}   Enable/disable logging of denied GTP-U packets.
        set gtpu-log-freq {integer}   Logging of frequency of GTP-U packets. range[0-4294967295]
        set log-gtpu-limit {integer}   the user data log limit (0-512 bytes) range[0-512]
        set log-imsi-prefix {string}   IMSI prefix for selective logging. size[15]
        set log-msisdn-prefix {string}   the msisdn prefix for selective logging size[15]
        set invalid-reserved-field {allow | deny}   Invalid reserved field in GTP header
                allow  Allow setting.
                deny   Deny setting.
        set reserved-ie {allow | deny}   reserved information element
                allow  Allow setting.
                deny   Deny setting.
        set miss-must-ie {allow | deny}   Missing mandatory information element
                allow  Allow setting.
                deny   Deny setting.
        set out-of-state-message {allow | deny}   Out of state GTP message
                allow  Allow setting.
                deny   Deny setting.
        set out-of-state-ie {allow | deny}   Out of state information element.
                allow  Allow setting.
                deny   Deny setting.
        set spoof-src-addr {allow | deny}   Spoofed source address for Mobile Station.
                allow  Allow setting.
                deny   Deny setting.
        set handover-group {string}   Handover SGSN group size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
        set authorized-sgsns {string}   Authorized SGSN group size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
        set invalid-sgsns-to-log {string}   Invalid SGSN group to be logged size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
        set authorized-ggsns {string}   Authorized GGSN group size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
        config apn
            edit {id}
            # APN.
                set id {integer}   ID. range[0-4294967295]
                config apnmember
                    edit {name}
                    # APN member.
                        set name {string}   APN name. size[64] - datasource(s): gtp.apn.name,gtp.apngrp.name
                    next
                set action {allow | deny}   Action.
                        allow  Allow setting.
                        deny   Deny setting.
                set selection-mode {ms | net | vrf}   APN selection mode.
                        ms   Mobile Station provided APN.
                        net  Network provided APN.
                        vrf  Subscription verified.
            next
        config imsi
            edit {id}
            # IMSI.
                set id {integer}   ID. range[0-4294967295]
                set mcc-mnc {string}   MCC MNC. size[15]
                set msisdn-prefix {string}   MSISDN prefix. size[15]
                config apnmember
                    edit {name}
                    # APN member.
                        set name {string}   APN name. size[64] - datasource(s): gtp.apn.name,gtp.apngrp.name
                    next
                set action {allow | deny}   Action.
                        allow  Allow setting.
                        deny   Deny setting.
                set selection-mode {ms | net | vrf}   APN selection mode.
                        ms   Mobile Station provided APN.
                        net  Network provided APN.
                        vrf  Subscription verified.
            next
        config policy
            edit {id}
            # Policy.
                set id {integer}   ID. range[0-4294967295]
                config apnmember
                    edit {name}
                    # APN member.
                        set name {string}   APN name. size[64] - datasource(s): gtp.apn.name,gtp.apngrp.name
                    next
                set messages {create-req | create-res | update-req | update-res}   GTP messages.
                        create-req  Create PDP context request.
                        create-res  Create PDP context response.
                        update-req  Update PDP context request.
                        update-res  Update PDP context response.
                set apn-sel-mode {ms | net | vrf}   APN selection mode.
                        ms   Mobile Station provided APN.
                        net  Network provided APN.
                        vrf  Subscription verified.
                set max-apn-restriction {option}   Maximum APN restriction value.
                        all        All.
                        public-1   Public-1.
                        public-2   Public-2.
                        private-1  Private-1.
                        private-2  Private-2.
                set imsi {string}   IMSI prefix. size[15]
                set msisdn {string}   MSISDN prefix. size[15]
                set rat-type {option}   RAT Type.
                        any    Any RAT.
                        utran  UTRAN.
                        geran  GERAN.
                        wlan   WLAN.
                        gan    GAN.
                        hspa   HSPA.
                set rai {string}   RAI pattern. size[40]
                set uli {string}   ULI pattern. size[40]
                set imei {string}   IMEI(SV) pattern. size[40]
                set action {allow | deny}   Action.
                        allow  Allow setting.
                        deny   Deny setting.
            next
        set addr-notify {ipv4 address any}   overbilling notify address
        set port-notify {integer}   overbilling notify port range[0-65535]
        set interface-notify {string}   overbilling interface size[15] - datasource(s): system.interface.name
        set context-id {integer}   Overbilling context. range[0-4294967295]
        config ie-remove-policy
            edit {id}
            # IE remove policy.
                set id {integer}   ID. range[0-4294967295]
                set sgsn-addr {string}   SGSN address name. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
                set remove-ies {option}   GTP IEs to be removed.
                        apn-restriction  APN Restriction.
                        rat-type         RAT Type.
                        rai              RAI.
                        uli              ULI.
                        imei             IMEI.
            next
        config ip-policy
            edit {id}
            # IP policy.
                set id {integer}   ID. range[0-4294967295]
                set srcaddr {string}   Source address name. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
                set dstaddr {string}   Destination address name. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
                set action {allow | deny}   Action.
                        allow  Allow setting.
                        deny   Deny setting.
            next
        config noip-policy
            edit {id}
            # No IP policy.
                set id {integer}   ID. range[0-4294967295]
                set type {etsi | ietf}   Protocol field type.
                        etsi  ESTI.
                        ietf  IETF.
                set start {integer}   Start of protocol range (0 - 255). range[0-255]
                set end {integer}   End of protocol range (0 - 255). range[0-255]
                set action {allow | deny}   Action.
                        allow  Allow setting.
                        deny   Deny setting.
            next
        set message-filter-v0v1 {string}   Message filter. size[63] - datasource(s): gtp.message-filter-v0v1.name
        set message-filter-v2 {string}   Message filter. size[63] - datasource(s): gtp.message-filter-v2.name
        set ie-white-list-v0v1 {string}   IE white list. size[63] - datasource(s): gtp.ie-white-list.name
        set ie-white-list-v2 {string}   IE white list. size[63] - datasource(s): gtp.ie-white-list.name
        config ie-validation
            set imsi {enable | disable}   Validate IMSI.
            set rai {enable | disable}   Validate RAI.
            set reordering-required {enable | disable}   Validate re-ordering required.
            set ms-validated {enable | disable}   Validate MS validated.
            set selection-mode {enable | disable}   Validate selection mode.
            set nsapi {enable | disable}   Validate NSAPI.
            set charging-ID {enable | disable}   Validate charging ID.
            set end-user-addr {enable | disable}   Validate end user address.
            set mm-context {enable | disable}   Validate MM context.
            set pdp-context {enable | disable}   Validate PDP context.
            set gsn-addr {enable | disable}   Validate GSN address.
            set msisdn {enable | disable}   Validate MSISDN.
            set qos-profile {enable | disable}   Validate Quality of Service(QoS) profile.
            set apn-restriction {enable | disable}   Validate APN restriction.
            set rat-type {enable | disable}   Validate RAT type.
            set uli {enable | disable}   Validate user location information.
            set ms-tzone {enable | disable}   Validate MS time zone.
            set imei {enable | disable}   Validate IMEI(SV).
            set charging-gateway-addr {enable | disable}   Validate charging gateway address.
        config message-rate-limit
            set echo-request {integer}   Rate limit for echo requests (packets per second). range[0-4294967295]
            set echo-reponse {integer}   Rate limit for echo response (packets per second). range[0-4294967295]
            set version-not-support {integer}   Rate limit for version not supported (packets per second). range[0-4294967295]
            set create-pdp-request {integer}   Rate limit for create PDP context request (packets per second). range[0-4294967295]
            set create-pdp-response {integer}   Rate limit for create PDP context response (packets per second). range[0-4294967295]
            set update-pdp-request {integer}   Rate limit for update PDP context request (packets per second). range[0-4294967295]
            set update-pdp-response {integer}   Rate limit for update PDP context response (packets per second). range[0-4294967295]
            set delete-pdp-request {integer}   Rate limit for delete PDP context request (packets per second). range[0-4294967295]
            set delete-pdp-response {integer}   Rate limit for delete PDP context response (packets per second). range[0-4294967295]
            set create-aa-pdp-request {integer}   Rate limit for create AA PDP context request (packets per second). range[0-4294967295]
            set create-aa-pdp-response {integer}   Rate limit for create AA PDP context response (packets per second). range[0-4294967295]
            set delete-aa-pdp-request {integer}   Rate limit for delete AA PDP context request (packets per second). range[0-4294967295]
            set delete-aa-pdp-response {integer}   Rate limit for delete AA PDP context response (packets per second). range[0-4294967295]
            set error-indication {integer}   Rate limit for error indication (packets per second). range[0-4294967295]
            set pdu-notify-request {integer}   Rate limit for PDU notify request (packets per second). range[0-4294967295]
            set pdu-notify-response {integer}   Rate limit for PDU notify response (packets per second). range[0-4294967295]
            set pdu-notify-rej-request {integer}   Rate limit for PDU notify reject request (packets per second). range[0-4294967295]
            set pdu-notify-rej-response {integer}   Rate limit for PDU notify reject response (packets per second). range[0-4294967295]
            set support-ext-hdr-notify {integer}   Rate limit for support extension headers notification (packets per second). range[0-4294967295]
            set send-route-request {integer}   Rate limit for send routing information for GPRS request (packets per second). range[0-4294967295]
            set send-route-response {integer}   Rate limit for send routing information for GPRS response (packets per second). range[0-4294967295]
            set failure-report-request {integer}   Rate limit for failure report request (packets per second). range[0-4294967295]
            set failure-report-response {integer}   Rate limit for failure report response (packets per second). range[0-4294967295]
            set note-ms-request {integer}   Rate limit for note MS GPRS present request (packets per second). range[0-4294967295]
            set note-ms-response {integer}   Rate limit for note MS GPRS present response (packets per second). range[0-4294967295]
            set identification-request {integer}   Rate limit for identification request (packets per second). range[0-4294967295]
            set identification-response {integer}   Rate limit for identification response (packets per second). range[0-4294967295]
            set sgsn-context-request {integer}   Rate limit for SGSN context request (packets per second). range[0-4294967295]
            set sgsn-context-response {integer}   Rate limit for SGSN context response (packets per second). range[0-4294967295]
            set sgsn-context-ack {integer}   Rate limit for SGSN context acknowledgement (packets per second). range[0-4294967295]
            set fwd-relocation-request {integer}   Rate limit for forward relocation request (packets per second). range[0-4294967295]
            set fwd-relocation-response {integer}   Rate limit for forward relocation response (packets per second). range[0-4294967295]
            set fwd-relocation-complete {integer}   Rate limit for forward relocation complete (packets per second). range[0-4294967295]
            set relocation-cancel-request {integer}   Rate limit for relocation cancel request (packets per second). range[0-4294967295]
            set relocation-cancel-response {integer}   Rate limit for relocation cancel response (packets per second). range[0-4294967295]
            set fwd-srns-context {integer}   Rate limit for forward SRNS context (packets per second). range[0-4294967295]
            set fwd-reloc-complete-ack {integer}   Rate limit for forward relocation complete acknowledge (packets per second). range[0-4294967295]
            set fwd-srns-context-ack {integer}   Rate limit for forward SRNS context acknowledge (packets per second). range[0-4294967295]
            set ran-info {integer}   Rate limit for RAN information relay (packets per second). range[0-4294967295]
            set mbms-notify-request {integer}   Rate limit for MBMS notification request (packets per second). range[0-4294967295]
            set mbms-notify-response {integer}   Rate limit for MBMS notification response (packets per second). range[0-4294967295]
            set mbms-notify-rej-request {integer}   Rate limit for MBMS notification reject request (packets per second). range[0-4294967295]
            set mbms-notify-rej-response {integer}   Rate limit for MBMS notification reject response (packets per second). range[0-4294967295]
            set create-mbms-request {integer}   Rate limit for create MBMS context request (packets per second). range[0-4294967295]
            set create-mbms-response {integer}   Rate limit for create MBMS context response (packets per second). range[0-4294967295]
            set update-mbms-request {integer}   Rate limit for update MBMS context request (packets per second). range[0-4294967295]
            set update-mbms-response {integer}   Rate limit for update MBMS context response (packets per second). range[0-4294967295]
            set delete-mbms-request {integer}   Rate limit for delete MBMS context request (packets per second). range[0-4294967295]
            set delete-mbms-response {integer}   Rate limit for delete MBMS context response (packets per second). range[0-4294967295]
            set mbms-reg-request {integer}   Rate limit for MBMS registration request (packets per second). range[0-4294967295]
            set mbms-reg-response {integer}   Rate limit for MBMS registration response (packets per second). range[0-4294967295]
            set mbms-de-reg-request {integer}   Rate limit for MBMS de-registration request (packets per second). range[0-4294967295]
            set mbms-de-reg-response {integer}   Rate limit for MBMS de-registration response (packets per second). range[0-4294967295]
            set mbms-ses-start-request {integer}   Rate limit for MBMS session start request (packets per second). range[0-4294967295]
            set mbms-ses-start-response {integer}   Rate limit for MBMS session start response (packets per second). range[0-4294967295]
            set mbms-ses-stop-request {integer}   Rate limit for MBMS session stop request (packets per second). range[0-4294967295]
            set mbms-ses-stop-response {integer}   Rate limit for MBMS session stop response (packets per second). range[0-4294967295]
            set g-pdu {integer}   Rate limit for G-PDU (packets per second). range[0-4294967295]
        set rate-limit-mode {per-profile | per-stream | per-apn}   GTP rate limit mode.
                per-profile  Per-profile rate limiting.
                per-stream   Per-stream rate limiting.
                per-apn      Per-APN rate limiting.
        set warning-threshold {integer}   Warning threshold for rate limiting (0 - 99 percent). range[0-99]
        config message-rate-limit-v0
            set echo-request {integer}   Rate limit (packets/s) for echo request. range[0-4294967295]
            set create-pdp-request {integer}   Rate limit (packets/s) for create PDP context request. range[0-4294967295]
            set delete-pdp-request {integer}   Rate limit (packets/s) for delete PDP context request. range[0-4294967295]
        config message-rate-limit-v1
            set echo-request {integer}   Rate limit (packets/s) for echo request. range[0-4294967295]
            set create-pdp-request {integer}   Rate limit (packets/s) for create PDP context request. range[0-4294967295]
            set delete-pdp-request {integer}   Rate limit (packets/s) for delete PDP context request. range[0-4294967295]
        config message-rate-limit-v2
            set echo-request {integer}   Rate limit (packets/s) for echo request. range[0-4294967295]
            set create-session-request {integer}   Rate limit (packets/s) for create session request. range[0-4294967295]
            set delete-session-request {integer}   Rate limit (packets/s) for delete session request. range[0-4294967295]
        config per-apn-shaper
            edit {id}
            # Per APN shaper.
                set id {integer}   ID. range[0-4294967295]
                set apn {string}   APN name. size[63] - datasource(s): gtp.apn.name
                set version {integer}   GTP version number: 0 or 1. range[0-1]
                set rate-limit {integer}   Rate limit (packets/s) for create PDP context request. range[0-1000000]
            next
    next
end