Advanced filtering options
The FortiOS Carrier firewall supports advanced filtering against the attributes RAT, RAI, ULI, APN restriction, and IMEI-SV in GTP to block specific harmful GPRS traffic and GPRS roaming traffic. The following table shows some of the GTP context requests and responses that the firewall supports.
Attributes supported by FortiCarrier firewalls
GTP Create PDP Context Request | GTP Create PDP Context Response | GTP Update PDP Context Request | GTP Update PDP Context Response |
|
---|---|---|---|---|
APN | yes | yes | - | |
APN Restriction | yes | - | - | yes |
IMEI-SV | yes | - | - | - |
IMSI | yes | - | yes | - |
RAI | yes | - | yes | - |
RAT | yes | - | yes | - |
ULI | yes | - | yes | - |
When editing a GTP profile, select Advanced Filtering > Create New to create and add a rule. When the rule matches traffic it will either allow or deny that traffic as selected in the rule.
Advanced Filtering | ||
Enable | Select to enable advanced filtering. | |
Default Action | Select the default action for advanced filtering. If you select Allow, all sessions are allowed except those blocked by individual advanced filters. If you select Deny, all sessions are blocked except those allowed by individual advanced filters. | |
Messages | The messages, for example, Create PDP Context Request. | |
APN Restriction | The APN restriction. | |
RAT Type | The RAT types associated with that filter. | |
ULI | The ULI pattern. | |
RAI | The RAI pattern. | |
IMEI | The IMEI pattern. | |
Action | The action that will be taken. | |
Edit | Modifies the filter’s settings. When you select Edit, the Edit window appears, which allows you to modify the filter’s settings. | |
Delete | Removes a filter from the list. | |
Add | Adds a filter to the list. When you select Add, the New window appears, which allows you to configure settings for messages, APN, IMSI, MSISDN, RAT type, ULI, RAI, IMEI patterns as well as the type of action. | |
New Filtering page | ||
Messages | The PDP content messages this profile will match. | |
Create PDP Context Request |
Select to allow create PDP context requests. | |
Create PDP Context Response |
Select to allow create PDP context responses. | |
Update PDP Context Request |
Select to allow update PDP context requests. | |
Update PDP |
Select to allow update PDP context responses. | |
APN | Enter the APN. | |
APN Mode | Select an APN mode as one or more of • Mobile Station provided • Network provided • Subscription provided This field is only available when an APN has been entered. |
|
Mobile Station provided | MS-provided PAN, subscription not verified, indicates that the mobile station (MS) provided the APN and that the HLR did not verify the user’s subscription to the network. | |
Network provided | Network-provided APN, subscription not verified, indicates that the network provided a default APN because the MS did not specify one, and that the HLR did no verify the user’s subscription to the network. | |
Subscription verified | MS or Network-provided APN, subscription verified, indicates that the MS or the network provided the APN and that the HLR verified the user’s subscription to the network. | |
APN Restriction | Select the type of restriction that you want. You can choose all of the types, or one of the types. You cannot choose multiple types. Types include: • all • Public-1 • Public-2 • Private-1 • Private-2 |
|
IMSI | Enter the IMSI. | |
MSISDN | Enter the MSISDN. | |
RAT Type | Optionally select the RAT type as any combination of the following: • Any • UTRAN • GERAN • Wifi • GAN • HSPA Some RAT types are GTPv1 specific. |
|
ULI pattern | Enter the ULI pattern. | |
RAI pattern | Enter the RAI pattern. | |
IMEI pattern | Enter the IMEI pattern. | |
Action | Select either Allow or Deny. |
Adding an advanced filtering rule
When adding a rule, use the following formats:
- Prefix, for example, range 31* for MCC matches MCC from 310 to 319.
- Range, for example, range 310-319 for MCC matches MCC from 310 to 319.
- Mobile Country Code (MCC) consists of three digits. The MCC identifies the country of domicile of the mobile subscriber.
- Mobile Network Code (MNC) consists of two or three digits for GSM/UMTS applications. The MNC identifies the home PLMN of the mobile subscriber. The length of the MNC (two or three digits) depends on the value of the MCC. Best practices dictate not to mix two and three digit MNC codes within a single MCC area.
- Location Area Code (LAC) is a fixed length code (of 2 octets) identifying a location area within a PLMN. This part of the location area identification can be coded using a full hexadecimal representation except for the following reserved hexadecimal values: 0000 and FFFE. These reserved values are used in some special cases when no valid LAI exists in the MS (see 3GPP TS 24.008, 3GPP TS 31.102 and 3GPP TS 51.011).
- Routing Area Code (RAC) of a fixed length code (of 1 octet) identifies a routing area within a location.
- CI or SAC of a fixed length of 2 octets can be coded using a full hexadecimal expression.
- Type Allocation Code (TAC) has a length of 8 digits.
- Serial Number (SNR) is an individual serial number identifying each equipment within each TAC. SNR has a length of 6 digits.
- Software Version Number (SVN) identifies the software version number of the mobile equipment. SVN has a length of 2 digits.
You cannot add an advanced filtering rule when creating a new profile. You must add it after the profile has been created and you are editing the profile. |