Fortinet black logo

Handbook

Advanced filtering options

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:85936
Download PDF

The FortiOS Carrier firewall supports advanced filtering against the attributes RAT, RAI, ULI, APN restriction, and IMEI-SV in GTP to block specific harmful GPRS traffic and GPRS roaming traffic. The following table shows some of the GTP context requests and responses that the firewall supports.

Attributes supported by FortiCarrier firewalls
GTP Create PDP Context Request GTP Create PDP Context Response GTP Update PDP Context Request GTP Update PDP
Context Response
APN yes yes -
APN Restriction yes - - yes
IMEI-SV yes - - -
IMSI yes - yes -
RAI yes - yes -
RAT yes - yes -
ULI yes - yes -

When editing a GTP profile, select Advanced Filtering > Create New to create and add a rule. When the rule matches traffic it will either allow or deny that traffic as selected in the rule.

Advanced Filtering
Enable Select to enable advanced filtering.
Default Action Select the default action for advanced filtering. If you select Allow, all sessions are allowed except those blocked by individual advanced filters. If you select Deny, all sessions are blocked except those allowed by individual advanced filters.
Messages The messages, for example, Create PDP Context Request.
APN Restriction The APN restriction.
RAT Type The RAT types associated with that filter.
ULI The ULI pattern.
RAI The RAI pattern.
IMEI The IMEI pattern.
Action The action that will be taken.
Edit Modifies the filter’s settings. When you select Edit, the Edit window appears, which allows you to modify the filter’s settings.
Delete Removes a filter from the list.
Add Adds a filter to the list. When you select Add, the New window appears, which allows you to configure settings for messages, APN, IMSI, MSISDN, RAT type, ULI, RAI, IMEI patterns as well as the type of action.
New Filtering page
Messages The PDP content messages this profile will match.
Create PDP
Context Request
Select to allow create PDP context requests.
Create PDP
Context Response
Select to allow create PDP context responses.
Update PDP
Context Request
Select to allow update PDP context requests.

Update PDP
Context Response

Select to allow update PDP context responses.
APN Enter the APN.
APN Mode Select an APN mode as one or more of

• Mobile Station provided
• Network provided
• Subscription provided

This field is only available when an APN has been entered.
Mobile Station provided MS-provided PAN, subscription not verified, indicates that the mobile station (MS) provided the APN and that the HLR did not verify the user’s subscription to the network.
Network provided Network-provided APN, subscription not verified, indicates that the network provided a default APN because the MS did not specify one, and that the HLR did no verify the user’s subscription to the network.
Subscription verified MS or Network-provided APN, subscription verified, indicates that the MS or the network provided the APN and that the HLR verified the user’s subscription to the network.
APN Restriction Select the type of restriction that you want. You can choose all of the types, or one of the types. You cannot choose multiple types. Types include:

• all
• Public-1
• Public-2
• Private-1
• Private-2
IMSI Enter the IMSI.
MSISDN Enter the MSISDN.
RAT Type Optionally select the RAT type as any combination of the following:

• Any
• UTRAN
• GERAN
• Wifi
• GAN
• HSPA

Some RAT types are GTPv1 specific.
ULI pattern Enter the ULI pattern.
RAI pattern Enter the RAI pattern.
IMEI pattern Enter the IMEI pattern.
Action Select either Allow or Deny.

Adding an advanced filtering rule

When adding a rule, use the following formats:

  • Prefix, for example, range 31* for MCC matches MCC from 310 to 319.
  • Range, for example, range 310-319 for MCC matches MCC from 310 to 319.
  • Mobile Country Code (MCC) consists of three digits. The MCC identifies the country of domicile of the mobile subscriber.
  • Mobile Network Code (MNC) consists of two or three digits for GSM/UMTS applications. The MNC identifies the home PLMN of the mobile subscriber. The length of the MNC (two or three digits) depends on the value of the MCC. Best practices dictate not to mix two and three digit MNC codes within a single MCC area.
  • Location Area Code (LAC) is a fixed length code (of 2 octets) identifying a location area within a PLMN. This part of the location area identification can be coded using a full hexadecimal representation except for the following reserved hexadecimal values: 0000 and FFFE. These reserved values are used in some special cases when no valid LAI exists in the MS (see 3GPP TS 24.008, 3GPP TS 31.102 and 3GPP TS 51.011).
  • Routing Area Code (RAC) of a fixed length code (of 1 octet) identifies a routing area within a location.
  • CI or SAC of a fixed length of 2 octets can be coded using a full hexadecimal expression.
  • Type Allocation Code (TAC) has a length of 8 digits.
  • Serial Number (SNR) is an individual serial number identifying each equipment within each TAC. SNR has a length of 6 digits.
  • Software Version Number (SVN) identifies the software version number of the mobile equipment. SVN has a length of 2 digits.
note icon You cannot add an advanced filtering rule when creating a new profile. You must add it after the profile has been created and you are editing the profile.

The FortiOS Carrier firewall supports advanced filtering against the attributes RAT, RAI, ULI, APN restriction, and IMEI-SV in GTP to block specific harmful GPRS traffic and GPRS roaming traffic. The following table shows some of the GTP context requests and responses that the firewall supports.

Attributes supported by FortiCarrier firewalls
GTP Create PDP Context Request GTP Create PDP Context Response GTP Update PDP Context Request GTP Update PDP
Context Response
APN yes yes -
APN Restriction yes - - yes
IMEI-SV yes - - -
IMSI yes - yes -
RAI yes - yes -
RAT yes - yes -
ULI yes - yes -

When editing a GTP profile, select Advanced Filtering > Create New to create and add a rule. When the rule matches traffic it will either allow or deny that traffic as selected in the rule.

Advanced Filtering
Enable Select to enable advanced filtering.
Default Action Select the default action for advanced filtering. If you select Allow, all sessions are allowed except those blocked by individual advanced filters. If you select Deny, all sessions are blocked except those allowed by individual advanced filters.
Messages The messages, for example, Create PDP Context Request.
APN Restriction The APN restriction.
RAT Type The RAT types associated with that filter.
ULI The ULI pattern.
RAI The RAI pattern.
IMEI The IMEI pattern.
Action The action that will be taken.
Edit Modifies the filter’s settings. When you select Edit, the Edit window appears, which allows you to modify the filter’s settings.
Delete Removes a filter from the list.
Add Adds a filter to the list. When you select Add, the New window appears, which allows you to configure settings for messages, APN, IMSI, MSISDN, RAT type, ULI, RAI, IMEI patterns as well as the type of action.
New Filtering page
Messages The PDP content messages this profile will match.
Create PDP
Context Request
Select to allow create PDP context requests.
Create PDP
Context Response
Select to allow create PDP context responses.
Update PDP
Context Request
Select to allow update PDP context requests.

Update PDP
Context Response

Select to allow update PDP context responses.
APN Enter the APN.
APN Mode Select an APN mode as one or more of

• Mobile Station provided
• Network provided
• Subscription provided

This field is only available when an APN has been entered.
Mobile Station provided MS-provided PAN, subscription not verified, indicates that the mobile station (MS) provided the APN and that the HLR did not verify the user’s subscription to the network.
Network provided Network-provided APN, subscription not verified, indicates that the network provided a default APN because the MS did not specify one, and that the HLR did no verify the user’s subscription to the network.
Subscription verified MS or Network-provided APN, subscription verified, indicates that the MS or the network provided the APN and that the HLR verified the user’s subscription to the network.
APN Restriction Select the type of restriction that you want. You can choose all of the types, or one of the types. You cannot choose multiple types. Types include:

• all
• Public-1
• Public-2
• Private-1
• Private-2
IMSI Enter the IMSI.
MSISDN Enter the MSISDN.
RAT Type Optionally select the RAT type as any combination of the following:

• Any
• UTRAN
• GERAN
• Wifi
• GAN
• HSPA

Some RAT types are GTPv1 specific.
ULI pattern Enter the ULI pattern.
RAI pattern Enter the RAI pattern.
IMEI pattern Enter the IMEI pattern.
Action Select either Allow or Deny.

Adding an advanced filtering rule

When adding a rule, use the following formats:

  • Prefix, for example, range 31* for MCC matches MCC from 310 to 319.
  • Range, for example, range 310-319 for MCC matches MCC from 310 to 319.
  • Mobile Country Code (MCC) consists of three digits. The MCC identifies the country of domicile of the mobile subscriber.
  • Mobile Network Code (MNC) consists of two or three digits for GSM/UMTS applications. The MNC identifies the home PLMN of the mobile subscriber. The length of the MNC (two or three digits) depends on the value of the MCC. Best practices dictate not to mix two and three digit MNC codes within a single MCC area.
  • Location Area Code (LAC) is a fixed length code (of 2 octets) identifying a location area within a PLMN. This part of the location area identification can be coded using a full hexadecimal representation except for the following reserved hexadecimal values: 0000 and FFFE. These reserved values are used in some special cases when no valid LAI exists in the MS (see 3GPP TS 24.008, 3GPP TS 31.102 and 3GPP TS 51.011).
  • Routing Area Code (RAC) of a fixed length code (of 1 octet) identifies a routing area within a location.
  • CI or SAC of a fixed length of 2 octets can be coded using a full hexadecimal expression.
  • Type Allocation Code (TAC) has a length of 8 digits.
  • Serial Number (SNR) is an individual serial number identifying each equipment within each TAC. SNR has a length of 6 digits.
  • Software Version Number (SVN) identifies the software version number of the mobile equipment. SVN has a length of 2 digits.
note icon You cannot add an advanced filtering rule when creating a new profile. You must add it after the profile has been created and you are editing the profile.