firewall gtp
Use this FortiOS Carrier command to configure firewall GTP options.
config firewall gtp edit {name} # Configure GTP. set name {string} Profile name. size[63] set comment {string} Comment. size[255] set remove-if-echo-expires {enable | disable} remove if echo response expires set remove-if-recovery-differ {enable | disable} remove upon different Recovery IE set send-delete-when-timeout {enable | disable} send DELETE request to path endpoints when GTPv0/v1 tunnel timeout. set send-delete-when-timeout-v2 {enable | disable} send DELETE request to path endpoints when GTPv2 tunnel timeout. set gtp-in-gtp {allow | deny} gtp in gtp allow Allow setting. deny Deny setting. set unknown-version-action {allow | deny} action for unknown gtp version allow Allow setting. deny Deny setting. set min-message-length {integer} min message length range[0-4294967295] set max-message-length {integer} max message length range[0-4294967295] set control-plane-message-rate-limit {integer} control plane message rate limit range[0-4294967295] set rate-sampling-interval {integer} rate sampling interval (1-3600 seconds) range[1-3600] set echo-request-interval {integer} echo request interval (in seconds) range[0-4294967295] set user-plane-message-rate-limit {integer} user plane message rate limit range[0-4294967295] set tunnel-limit {integer} tunnel limit range[0-4294967295] set global-tunnel-limit {string} Global tunnel limit. size[63] - datasource(s): gtp.tunnel-limit.name set tunnel-timeout {integer} Established tunnel timeout (in seconds). range[0-4294967295] set half-open-timeout {integer} Half-open tunnel timeout (in seconds). range[1-300] set half-close-timeout {integer} Half-close tunnel timeout (in seconds). range[1-30] set default-apn-action {allow | deny} default apn action allow Allow setting. deny Deny setting. set default-imsi-action {allow | deny} default imsi action allow Allow setting. deny Deny setting. set default-policy-action {allow | deny} default advanced policy action allow Allow setting. deny Deny setting. set default-ip-action {allow | deny} default action for encapsulated IP traffic allow Allow setting. deny Deny setting. set default-noip-action {allow | deny} default action for encapsulated non-IP traffic allow Allow setting. deny Deny setting. set apn-filter {enable | disable} apn filter set imsi-filter {enable | disable} imsi filter set policy-filter {enable | disable} Advanced policy filter set ie-remover {enable | disable} IE removal policy. set ip-filter {enable | disable} IP filter for encapsulted traffic set noip-filter {enable | disable} non-IP filter for encapsulted traffic set monitor-mode {enable | disable} GTP monitor mode set forwarded-log {enable | disable} log forwarded set denied-log {enable | disable} log denied set rate-limited-log {enable | disable} log rate limited set state-invalid-log {enable | disable} log state invalid set tunnel-limit-log {enable | disable} tunnel limit set extension-log {enable | disable} log in extension format set traffic-count-log {enable | disable} log tunnel traffic counter set log-freq {integer} Logging of frequency of GTP-C packets. range[0-4294967295] set gtpu-forwarded-log {enable | disable} Enable/disable logging of forwarded GTP-U packets. set gtpu-denied-log {enable | disable} Enable/disable logging of denied GTP-U packets. set gtpu-log-freq {integer} Logging of frequency of GTP-U packets. range[0-4294967295] set log-gtpu-limit {integer} the user data log limit (0-512 bytes) range[0-512] set log-imsi-prefix {string} IMSI prefix for selective logging. size[15] set log-msisdn-prefix {string} the msisdn prefix for selective logging size[15] set invalid-reserved-field {allow | deny} Invalid reserved field in GTP header allow Allow setting. deny Deny setting. set reserved-ie {allow | deny} reserved information element allow Allow setting. deny Deny setting. set miss-must-ie {allow | deny} Missing mandatory information element allow Allow setting. deny Deny setting. set out-of-state-message {allow | deny} Out of state GTP message allow Allow setting. deny Deny setting. set out-of-state-ie {allow | deny} Out of state information element. allow Allow setting. deny Deny setting. set spoof-src-addr {allow | deny} Spoofed source address for Mobile Station. allow Allow setting. deny Deny setting. set handover-group {string} Handover SGSN group size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name set authorized-sgsns {string} Authorized SGSN group size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name set invalid-sgsns-to-log {string} Invalid SGSN group to be logged size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name set authorized-ggsns {string} Authorized GGSN group size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name config apn edit {id} # APN. set id {integer} ID. range[0-4294967295] config apnmember edit {name} # APN member. set name {string} APN name. size[64] - datasource(s): gtp.apn.name,gtp.apngrp.name next set action {allow | deny} Action. allow Allow setting. deny Deny setting. set selection-mode {ms | net | vrf} APN selection mode. ms Mobile Station provided APN. net Network provided APN. vrf Subscription verified. next config imsi edit {id} # IMSI. set id {integer} ID. range[0-4294967295] set mcc-mnc {string} MCC MNC. size[15] set msisdn-prefix {string} MSISDN prefix. size[15] config apnmember edit {name} # APN member. set name {string} APN name. size[64] - datasource(s): gtp.apn.name,gtp.apngrp.name next set action {allow | deny} Action. allow Allow setting. deny Deny setting. set selection-mode {ms | net | vrf} APN selection mode. ms Mobile Station provided APN. net Network provided APN. vrf Subscription verified. next config policy edit {id} # Policy. set id {integer} ID. range[0-4294967295] config apnmember edit {name} # APN member. set name {string} APN name. size[64] - datasource(s): gtp.apn.name,gtp.apngrp.name next set messages {create-req | create-res | update-req | update-res} GTP messages. create-req Create PDP context request. create-res Create PDP context response. update-req Update PDP context request. update-res Update PDP context response. set apn-sel-mode {ms | net | vrf} APN selection mode. ms Mobile Station provided APN. net Network provided APN. vrf Subscription verified. set max-apn-restriction {option} Maximum APN restriction value. all All. public-1 Public-1. public-2 Public-2. private-1 Private-1. private-2 Private-2. set imsi {string} IMSI prefix. size[15] set msisdn {string} MSISDN prefix. size[15] set rat-type {option} RAT Type. any Any RAT. utran UTRAN. geran GERAN. wlan WLAN. gan GAN. hspa HSPA. set rai {string} RAI pattern. size[40] set uli {string} ULI pattern. size[40] set imei {string} IMEI(SV) pattern. size[40] set action {allow | deny} Action. allow Allow setting. deny Deny setting. next set addr-notify {ipv4 address any} overbilling notify address set port-notify {integer} overbilling notify port range[0-65535] set interface-notify {string} overbilling interface size[15] - datasource(s): system.interface.name set context-id {integer} Overbilling context. range[0-4294967295] config ie-remove-policy edit {id} # IE remove policy. set id {integer} ID. range[0-4294967295] set sgsn-addr {string} SGSN address name. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name set remove-ies {option} GTP IEs to be removed. apn-restriction APN Restriction. rat-type RAT Type. rai RAI. uli ULI. imei IMEI. next config ip-policy edit {id} # IP policy. set id {integer} ID. range[0-4294967295] set srcaddr {string} Source address name. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name set dstaddr {string} Destination address name. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name set action {allow | deny} Action. allow Allow setting. deny Deny setting. next config noip-policy edit {id} # No IP policy. set id {integer} ID. range[0-4294967295] set type {etsi | ietf} Protocol field type. etsi ESTI. ietf IETF. set start {integer} Start of protocol range (0 - 255). range[0-255] set end {integer} End of protocol range (0 - 255). range[0-255] set action {allow | deny} Action. allow Allow setting. deny Deny setting. next set message-filter-v0v1 {string} Message filter. size[63] - datasource(s): gtp.message-filter-v0v1.name set message-filter-v2 {string} Message filter. size[63] - datasource(s): gtp.message-filter-v2.name set ie-white-list-v0v1 {string} IE white list. size[63] - datasource(s): gtp.ie-white-list.name set ie-white-list-v2 {string} IE white list. size[63] - datasource(s): gtp.ie-white-list.name config ie-validation set imsi {enable | disable} Validate IMSI. set rai {enable | disable} Validate RAI. set reordering-required {enable | disable} Validate re-ordering required. set ms-validated {enable | disable} Validate MS validated. set selection-mode {enable | disable} Validate selection mode. set nsapi {enable | disable} Validate NSAPI. set charging-ID {enable | disable} Validate charging ID. set end-user-addr {enable | disable} Validate end user address. set mm-context {enable | disable} Validate MM context. set pdp-context {enable | disable} Validate PDP context. set gsn-addr {enable | disable} Validate GSN address. set msisdn {enable | disable} Validate MSISDN. set qos-profile {enable | disable} Validate Quality of Service(QoS) profile. set apn-restriction {enable | disable} Validate APN restriction. set rat-type {enable | disable} Validate RAT type. set uli {enable | disable} Validate user location information. set ms-tzone {enable | disable} Validate MS time zone. set imei {enable | disable} Validate IMEI(SV). set charging-gateway-addr {enable | disable} Validate charging gateway address. config message-rate-limit set echo-request {integer} Rate limit for echo requests (packets per second). range[0-4294967295] set echo-reponse {integer} Rate limit for echo response (packets per second). range[0-4294967295] set version-not-support {integer} Rate limit for version not supported (packets per second). range[0-4294967295] set create-pdp-request {integer} Rate limit for create PDP context request (packets per second). range[0-4294967295] set create-pdp-response {integer} Rate limit for create PDP context response (packets per second). range[0-4294967295] set update-pdp-request {integer} Rate limit for update PDP context request (packets per second). range[0-4294967295] set update-pdp-response {integer} Rate limit for update PDP context response (packets per second). range[0-4294967295] set delete-pdp-request {integer} Rate limit for delete PDP context request (packets per second). range[0-4294967295] set delete-pdp-response {integer} Rate limit for delete PDP context response (packets per second). range[0-4294967295] set create-aa-pdp-request {integer} Rate limit for create AA PDP context request (packets per second). range[0-4294967295] set create-aa-pdp-response {integer} Rate limit for create AA PDP context response (packets per second). range[0-4294967295] set delete-aa-pdp-request {integer} Rate limit for delete AA PDP context request (packets per second). range[0-4294967295] set delete-aa-pdp-response {integer} Rate limit for delete AA PDP context response (packets per second). range[0-4294967295] set error-indication {integer} Rate limit for error indication (packets per second). range[0-4294967295] set pdu-notify-request {integer} Rate limit for PDU notify request (packets per second). range[0-4294967295] set pdu-notify-response {integer} Rate limit for PDU notify response (packets per second). range[0-4294967295] set pdu-notify-rej-request {integer} Rate limit for PDU notify reject request (packets per second). range[0-4294967295] set pdu-notify-rej-response {integer} Rate limit for PDU notify reject response (packets per second). range[0-4294967295] set support-ext-hdr-notify {integer} Rate limit for support extension headers notification (packets per second). range[0-4294967295] set send-route-request {integer} Rate limit for send routing information for GPRS request (packets per second). range[0-4294967295] set send-route-response {integer} Rate limit for send routing information for GPRS response (packets per second). range[0-4294967295] set failure-report-request {integer} Rate limit for failure report request (packets per second). range[0-4294967295] set failure-report-response {integer} Rate limit for failure report response (packets per second). range[0-4294967295] set note-ms-request {integer} Rate limit for note MS GPRS present request (packets per second). range[0-4294967295] set note-ms-response {integer} Rate limit for note MS GPRS present response (packets per second). range[0-4294967295] set identification-request {integer} Rate limit for identification request (packets per second). range[0-4294967295] set identification-response {integer} Rate limit for identification response (packets per second). range[0-4294967295] set sgsn-context-request {integer} Rate limit for SGSN context request (packets per second). range[0-4294967295] set sgsn-context-response {integer} Rate limit for SGSN context response (packets per second). range[0-4294967295] set sgsn-context-ack {integer} Rate limit for SGSN context acknowledgement (packets per second). range[0-4294967295] set fwd-relocation-request {integer} Rate limit for forward relocation request (packets per second). range[0-4294967295] set fwd-relocation-response {integer} Rate limit for forward relocation response (packets per second). range[0-4294967295] set fwd-relocation-complete {integer} Rate limit for forward relocation complete (packets per second). range[0-4294967295] set relocation-cancel-request {integer} Rate limit for relocation cancel request (packets per second). range[0-4294967295] set relocation-cancel-response {integer} Rate limit for relocation cancel response (packets per second). range[0-4294967295] set fwd-srns-context {integer} Rate limit for forward SRNS context (packets per second). range[0-4294967295] set fwd-reloc-complete-ack {integer} Rate limit for forward relocation complete acknowledge (packets per second). range[0-4294967295] set fwd-srns-context-ack {integer} Rate limit for forward SRNS context acknowledge (packets per second). range[0-4294967295] set ran-info {integer} Rate limit for RAN information relay (packets per second). range[0-4294967295] set mbms-notify-request {integer} Rate limit for MBMS notification request (packets per second). range[0-4294967295] set mbms-notify-response {integer} Rate limit for MBMS notification response (packets per second). range[0-4294967295] set mbms-notify-rej-request {integer} Rate limit for MBMS notification reject request (packets per second). range[0-4294967295] set mbms-notify-rej-response {integer} Rate limit for MBMS notification reject response (packets per second). range[0-4294967295] set create-mbms-request {integer} Rate limit for create MBMS context request (packets per second). range[0-4294967295] set create-mbms-response {integer} Rate limit for create MBMS context response (packets per second). range[0-4294967295] set update-mbms-request {integer} Rate limit for update MBMS context request (packets per second). range[0-4294967295] set update-mbms-response {integer} Rate limit for update MBMS context response (packets per second). range[0-4294967295] set delete-mbms-request {integer} Rate limit for delete MBMS context request (packets per second). range[0-4294967295] set delete-mbms-response {integer} Rate limit for delete MBMS context response (packets per second). range[0-4294967295] set mbms-reg-request {integer} Rate limit for MBMS registration request (packets per second). range[0-4294967295] set mbms-reg-response {integer} Rate limit for MBMS registration response (packets per second). range[0-4294967295] set mbms-de-reg-request {integer} Rate limit for MBMS de-registration request (packets per second). range[0-4294967295] set mbms-de-reg-response {integer} Rate limit for MBMS de-registration response (packets per second). range[0-4294967295] set mbms-ses-start-request {integer} Rate limit for MBMS session start request (packets per second). range[0-4294967295] set mbms-ses-start-response {integer} Rate limit for MBMS session start response (packets per second). range[0-4294967295] set mbms-ses-stop-request {integer} Rate limit for MBMS session stop request (packets per second). range[0-4294967295] set mbms-ses-stop-response {integer} Rate limit for MBMS session stop response (packets per second). range[0-4294967295] set g-pdu {integer} Rate limit for G-PDU (packets per second). range[0-4294967295] set rate-limit-mode {per-profile | per-stream | per-apn} GTP rate limit mode. per-profile Per-profile rate limiting. per-stream Per-stream rate limiting. per-apn Per-APN rate limiting. set warning-threshold {integer} Warning threshold for rate limiting (0 - 99 percent). range[0-99] config message-rate-limit-v0 set echo-request {integer} Rate limit (packets/s) for echo request. range[0-4294967295] set create-pdp-request {integer} Rate limit (packets/s) for create PDP context request. range[0-4294967295] set delete-pdp-request {integer} Rate limit (packets/s) for delete PDP context request. range[0-4294967295] config message-rate-limit-v1 set echo-request {integer} Rate limit (packets/s) for echo request. range[0-4294967295] set create-pdp-request {integer} Rate limit (packets/s) for create PDP context request. range[0-4294967295] set delete-pdp-request {integer} Rate limit (packets/s) for delete PDP context request. range[0-4294967295] config message-rate-limit-v2 set echo-request {integer} Rate limit (packets/s) for echo request. range[0-4294967295] set create-session-request {integer} Rate limit (packets/s) for create session request. range[0-4294967295] set delete-session-request {integer} Rate limit (packets/s) for delete session request. range[0-4294967295] config per-apn-shaper edit {id} # Per APN shaper. set id {integer} ID. range[0-4294967295] set apn {string} APN name. size[63] - datasource(s): gtp.apn.name set version {integer} GTP version number: 0 or 1. range[0-1] set rate-limit {integer} Rate limit (packets/s) for create PDP context request. range[0-1000000] next next end