Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • New Features

    6.2.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    GTP in Asymmetric Routing

    GTP in Asymmetric Routing

    FortiOS 6.2.0 improves communication for FortiGates acting as a GPRS Tunneling Protocol (GTP) firewall that is deployed in asymmetric routing environments. Previously in asymmetric routing environments, the GTP-C reply might be processed before the GTP-C request was fully synchronized by FortiGate Session Life Support Protocol (FGSP), which resulted in dropped sessions. With FortiOS 6.2.0, communication is improved by adding a new set gtp-asym-fgsp command in system settings that allows two members in FGSP to synchronize the GTP-C message.

    Example

    FOC-A-171 and FOC-B-172 are two FGSP members.

    SGSN Simulator (10.1.100.60) generates a GTP-C request that is passed through FGT-175 to reach FGSP member FOC-A-171, but the response GTP-C from GGSN Simulator(172.16.200.61) is passed through FGT-176 to reach another FGSP member FOC-B-172. Previously in this asymmetric topology, FOC can't help establish the GTP tunnel between SGSN Simulator and GGSN Simulator.

    However with the set gtp-asym-fgsp command, two members in FGSP can synchronize the GTP-C message. In both FOC-A-171 and FOC-B-172, when the set gtp-asym-fgsp command is enabled, the SGSN Simulator can obtain the correct tunnel private IP address(192.168.0.2) and establish the GTP tunnel with GGSN Simulator.

    Check on the SGSN simulator:

    root@mmsclient:~# sgsnemu -c /root/openggsn-0.84/examples/fgt_sgsnemu.conf &

    [1] 5592

    root@mmsclient:~# cmdline_parser_configfile

    remote: 172.16.200.61

    listen: 10.1.100.60

    conf: /root/openggsn-0.84/examples/fgt_sgsnemu.conf

    debug: 1

    imsi: 310150123456789

    qos: 0x0b921f

    charging: 0x800

    apn: internet

    msisdn: 6044301297

    uid: mig

    pwd: hemmelig

    pidfile: ./sgsnemu.pid

    statedir: ./

    contexts: 1

    timelimit: 0

    createif: 1

    ipup: /etc/sgsnemu/ip-up

    ipdown: /etc/sgsnemu/ip-down

    defaultroute: 1

    pingrate: 1

    pingsize: 56

    pingcount: 0

    pingquiet: 0

    Using default DNS server

    Local IP address is: 10.1.100.60 (10.1.100.60)

    Remote IP address is: 172.16.200.61 (172.16.200.61)

    IMSI is: 310150123456789 (0xf987654321051013)

    Using NSAPI: 0

    Using GTP version: 1

    Using APN: internet

    Using selection mode: 1

    Using MSISDN: 6044301297

    Initialising GTP library

    openggsn[5592]: GTP: gtp_newgsn() started

    Setting up interface

    Done initialising GTP library

    Sending off echo request

    Setting up PDP context #0

    Waiting for response from ggsn........

    idletime.tv_sec 3, idleTime.tv_usec 0

    Received echo response

    idletime.tv_sec 3, idleTime.tv_usec 0

    Received create PDP context response. IP address: 192.168.0.2 <--------NOTE

    Check on FOC that the GTP tunnel was established successfully:

    FOC-A-171(vdom1) # dia firewall gtp tunnel list

    list gtp tunnels

    -----------prof=gtpp ref=6 imsi=310150123456789 msisdn=6044301297 mei=unknown ms_addr=192.168.0.2 s11_s4 0-----------

    -----------index=00000001 life=2082(sec) idle=41(sec) vd=3 ver=1-----------

    c_pkt=4 c_bytes=506 u_pkt=0 u_bytes=0

    downlink cfteid:

    addr=10.1.100.60 teid=0x00000001 role=control vd=3 intf_type=gn-gp sgsn gtp-c

    uplink cfteid:

    addr=172.16.200.61 teid=0x00000001 role=control vd=3 intf_type=gn-gp ggsn gtp-c

    1/1 bearers:

    id=0 linked_id=0 type=regular dead=0 apn=internet selection=ms-provided-apn user_addr=192.168.0.2 u_pkt=0 u_bytes=0

    2 fteids:

    addr=10.1.100.60 teid=0x00000001 role=data vd=3 intf_type=gn-gp sgsn gtp-u

    addr=172.16.200.61 teid=0x00000001 role=data vd=3 intf_type=gn-gp ggsn gtp-u

    Previous
    Next

    GTP in Asymmetric Routing

    GTP in Asymmetric Routing

    FortiOS 6.2.0 improves communication for FortiGates acting as a GPRS Tunneling Protocol (GTP) firewall that is deployed in asymmetric routing environments. Previously in asymmetric routing environments, the GTP-C reply might be processed before the GTP-C request was fully synchronized by FortiGate Session Life Support Protocol (FGSP), which resulted in dropped sessions. With FortiOS 6.2.0, communication is improved by adding a new set gtp-asym-fgsp command in system settings that allows two members in FGSP to synchronize the GTP-C message.

    Example

    FOC-A-171 and FOC-B-172 are two FGSP members.

    SGSN Simulator (10.1.100.60) generates a GTP-C request that is passed through FGT-175 to reach FGSP member FOC-A-171, but the response GTP-C from GGSN Simulator(172.16.200.61) is passed through FGT-176 to reach another FGSP member FOC-B-172. Previously in this asymmetric topology, FOC can't help establish the GTP tunnel between SGSN Simulator and GGSN Simulator.

    However with the set gtp-asym-fgsp command, two members in FGSP can synchronize the GTP-C message. In both FOC-A-171 and FOC-B-172, when the set gtp-asym-fgsp command is enabled, the SGSN Simulator can obtain the correct tunnel private IP address(192.168.0.2) and establish the GTP tunnel with GGSN Simulator.

    Check on the SGSN simulator:

    root@mmsclient:~# sgsnemu -c /root/openggsn-0.84/examples/fgt_sgsnemu.conf &

    [1] 5592

    root@mmsclient:~# cmdline_parser_configfile

    remote: 172.16.200.61

    listen: 10.1.100.60

    conf: /root/openggsn-0.84/examples/fgt_sgsnemu.conf

    debug: 1

    imsi: 310150123456789

    qos: 0x0b921f

    charging: 0x800

    apn: internet

    msisdn: 6044301297

    uid: mig

    pwd: hemmelig

    pidfile: ./sgsnemu.pid

    statedir: ./

    contexts: 1

    timelimit: 0

    createif: 1

    ipup: /etc/sgsnemu/ip-up

    ipdown: /etc/sgsnemu/ip-down

    defaultroute: 1

    pingrate: 1

    pingsize: 56

    pingcount: 0

    pingquiet: 0

    Using default DNS server

    Local IP address is: 10.1.100.60 (10.1.100.60)

    Remote IP address is: 172.16.200.61 (172.16.200.61)

    IMSI is: 310150123456789 (0xf987654321051013)

    Using NSAPI: 0

    Using GTP version: 1

    Using APN: internet

    Using selection mode: 1

    Using MSISDN: 6044301297

    Initialising GTP library

    openggsn[5592]: GTP: gtp_newgsn() started

    Setting up interface

    Done initialising GTP library

    Sending off echo request

    Setting up PDP context #0

    Waiting for response from ggsn........

    idletime.tv_sec 3, idleTime.tv_usec 0

    Received echo response

    idletime.tv_sec 3, idleTime.tv_usec 0

    Received create PDP context response. IP address: 192.168.0.2 <--------NOTE

    Check on FOC that the GTP tunnel was established successfully:

    FOC-A-171(vdom1) # dia firewall gtp tunnel list

    list gtp tunnels

    -----------prof=gtpp ref=6 imsi=310150123456789 msisdn=6044301297 mei=unknown ms_addr=192.168.0.2 s11_s4 0-----------

    -----------index=00000001 life=2082(sec) idle=41(sec) vd=3 ver=1-----------

    c_pkt=4 c_bytes=506 u_pkt=0 u_bytes=0

    downlink cfteid:

    addr=10.1.100.60 teid=0x00000001 role=control vd=3 intf_type=gn-gp sgsn gtp-c

    uplink cfteid:

    addr=172.16.200.61 teid=0x00000001 role=control vd=3 intf_type=gn-gp ggsn gtp-c

    1/1 bearers:

    id=0 linked_id=0 type=regular dead=0 apn=internet selection=ms-provided-apn user_addr=192.168.0.2 u_pkt=0 u_bytes=0

    2 fteids:

    addr=10.1.100.60 teid=0x00000001 role=data vd=3 intf_type=gn-gp sgsn gtp-u

    addr=172.16.200.61 teid=0x00000001 role=data vd=3 intf_type=gn-gp ggsn gtp-u

    Previous
    Next