Fortinet Document Library

Version:


Table of Contents

New Features

6.4.0
Download PDF
Copy Link

IPv6 support for GTP 6.4.2

FortiOS Carrier supports IPv6 only and IPv4/IPv6 dual stack for GTPv1 and GTPv2.

IPv6 in GTP configuration

config firewall gtp
    edit "gtpp"
        set handover-group6 <sgsnv6_grp_addr>
        set authorized-sgsns6 <sgsnv6_grp_addr>
        set invalid-sgsns6-to-log <sgsnv6_grp_addr>
        set authorized-ggsns6 <ggsnv6_grp_addr>
        config ie-remove-policy
            edit 1
                set sgsn-addr6 <sgsnv6>
            next
        end
        config ip-policy
            edit 1
                set srcaddr6 "all"
                set dstaddr6 "all"
            next
        end
    next
end

Diagnose commands

Mobile user IPv6 address
diagnose firewall gtp tunnel filter ms-addr6 <from_ipv6_address> <to_ipv6_address>
IPv6 address of the control plane F-TEID

This is only applicable to GTPv1 and GTPv2 tunnels.

diagnose firewall gtp tunnel filter f-teid-c addr6 <from_ipv6_address> <to_ipv6_address>
IPv6 address of the data plane F-TEID

This is only applicable to GTPv1 and GTPv2 tunnels.

diagnose firewall gtp tunnel filter f-teid-u addr6 <from_ipv6_address> <to_ipv6_address>
Clear the mobile user IPv6 address filter
diagnose firewall gtp tunnel filter clear ms-addr6
Clear the IPv6 address of the control or data plane F-TEID filter
diagnose firewall gtp tunnel filter clear {f-teid-c | f-teid-u} addr6
Inverse mobile user IPv6 address filter
diagnose firewall gtp tunnel filter negate ms-addr6
IPv6 handover group
# diagnose firewall gtp handover-grp6 show gtpp 
print gtpp IPv6 handover group
[2001:10:1:100::-2001:10:1:100:ffff:ffff:ffff:ffff], [2002:10:1:100::-2002:10:1:100:ffff:ffff:ffff:ffff], 
Authorized IPv6 SGSNs
# diagnose firewall gtp auth-sgsns6 show gtpp 
print gtpp IPv6 authorized SGSNs
[2001:10:1:100::-2001:10:1:100:ffff:ffff:ffff:ffff], [2002:10:1:100::-2002:10:1:100:ffff:ffff:ffff:ffff], 
Invalid IPv6 SGSNs to be logged
# diagnose firewall gtp invalid-sgsns6-to-log show gtpp 
print gtpp IPv6 invalid SGSNs to be logged
[2001:10:1:100::-2001:10:1:100:ffff:ffff:ffff:ffff], [2002:10:1:100::-2002:10:1:100:ffff:ffff:ffff:ffff], 
Authorized IPv6 GGSNs
# diagnose firewall gtp auth-ggsns6 show gtpp 
print gtpp IPv6 authorized GGSNs
[2001:172:16:200::-2001:172:16:200:ffff:ffff:ffff:ffff], [2002:172:16:200::-2002:172:16:200:ffff:ffff:ffff:ffff], 

IPv6 GTP log example

date=2020-06-26 time=15:01:27 logid="1400041224" type="gtp" subtype="gtp-all" level="information" vd="vdom1" eventtime=1593208887251968776 tz="-0700" profile="gtpp" status="prohibited" version=2 msg-type=32 from6=2001:172:16:200::6 to6=2001:172:16:200::34 deny_cause="sgsn-not-authorized" ietype=75 dtlexp="none" srcport=34612 dstport=2123 seqnum=1 tunnel-idx=0 imsi="021310123200000" msisdn="12345678900001" apn="apn2.com" selection="apns-vrf" imei-sv="unknown" rat-type="eutran" end-usr-address=11.0.1.50 headerteid=0 snetwork="222.333" cpaddr6=2001:10:1:100::33 cpteid=886008 uli="011000:222.333.1" ulimcc=222 ulimnc=333
date=2020-06-26 time=15:04:23 logid="1400041223" type="gtp" subtype="gtp-all" level="information" vd="vdom1" eventtime=1593209063197162647 tz="-0700" profile="gtpp" status="forwarded" version=2 msg-type=32 from6=2001:172:16:200::6 to6=2001:172:16:200::34 srcport=65372 dstport=2123 seqnum=1 tunnel-idx=4 imsi="021310123200000" msisdn="12345678900001" apn="apn2.com" selection="apns-vrf" imei-sv="unknown" rat-type="eutran" end-usr-address=11.0.1.50 headerteid=0 snetwork="222.333" cpaddr6=2001:10:1:100::33 cpteid=886008 uli="011000:222.333.1" ulimcc=222 ulimnc=333
date=2020-06-26 time=15:08:03 logid="1400041228" type="gtp" subtype="gtp-all" level="information" vd="vdom1" eventtime=1593209283529236672 tz="-0700" profile="gtpp" status="traffic-count" version=2 cpdladdr6=2001:10:1:100::33 cpdlteid=886008 cpdlisrteid=0 cpulteid=0 tunnel-idx=4 duration=220 c-pkts=1 c-bytes=262 u-pkts=0 u-bytes=0 imsi="021310123200000" msisdn="12345678900001" apn="apn2.com" selection="apns-vrf" imei-sv="unknown" rat-type="eutran" end-usr-address=11.0.1.50 snetwork="222.333" uli="011000:222.333.1" ulimcc=222 ulimnc=333

IPv6 support for GTP 6.4.2

FortiOS Carrier supports IPv6 only and IPv4/IPv6 dual stack for GTPv1 and GTPv2.

IPv6 in GTP configuration

config firewall gtp
    edit "gtpp"
        set handover-group6 <sgsnv6_grp_addr>
        set authorized-sgsns6 <sgsnv6_grp_addr>
        set invalid-sgsns6-to-log <sgsnv6_grp_addr>
        set authorized-ggsns6 <ggsnv6_grp_addr>
        config ie-remove-policy
            edit 1
                set sgsn-addr6 <sgsnv6>
            next
        end
        config ip-policy
            edit 1
                set srcaddr6 "all"
                set dstaddr6 "all"
            next
        end
    next
end

Diagnose commands

Mobile user IPv6 address
diagnose firewall gtp tunnel filter ms-addr6 <from_ipv6_address> <to_ipv6_address>
IPv6 address of the control plane F-TEID

This is only applicable to GTPv1 and GTPv2 tunnels.

diagnose firewall gtp tunnel filter f-teid-c addr6 <from_ipv6_address> <to_ipv6_address>
IPv6 address of the data plane F-TEID

This is only applicable to GTPv1 and GTPv2 tunnels.

diagnose firewall gtp tunnel filter f-teid-u addr6 <from_ipv6_address> <to_ipv6_address>
Clear the mobile user IPv6 address filter
diagnose firewall gtp tunnel filter clear ms-addr6
Clear the IPv6 address of the control or data plane F-TEID filter
diagnose firewall gtp tunnel filter clear {f-teid-c | f-teid-u} addr6
Inverse mobile user IPv6 address filter
diagnose firewall gtp tunnel filter negate ms-addr6
IPv6 handover group
# diagnose firewall gtp handover-grp6 show gtpp 
print gtpp IPv6 handover group
[2001:10:1:100::-2001:10:1:100:ffff:ffff:ffff:ffff], [2002:10:1:100::-2002:10:1:100:ffff:ffff:ffff:ffff], 
Authorized IPv6 SGSNs
# diagnose firewall gtp auth-sgsns6 show gtpp 
print gtpp IPv6 authorized SGSNs
[2001:10:1:100::-2001:10:1:100:ffff:ffff:ffff:ffff], [2002:10:1:100::-2002:10:1:100:ffff:ffff:ffff:ffff], 
Invalid IPv6 SGSNs to be logged
# diagnose firewall gtp invalid-sgsns6-to-log show gtpp 
print gtpp IPv6 invalid SGSNs to be logged
[2001:10:1:100::-2001:10:1:100:ffff:ffff:ffff:ffff], [2002:10:1:100::-2002:10:1:100:ffff:ffff:ffff:ffff], 
Authorized IPv6 GGSNs
# diagnose firewall gtp auth-ggsns6 show gtpp 
print gtpp IPv6 authorized GGSNs
[2001:172:16:200::-2001:172:16:200:ffff:ffff:ffff:ffff], [2002:172:16:200::-2002:172:16:200:ffff:ffff:ffff:ffff], 

IPv6 GTP log example

date=2020-06-26 time=15:01:27 logid="1400041224" type="gtp" subtype="gtp-all" level="information" vd="vdom1" eventtime=1593208887251968776 tz="-0700" profile="gtpp" status="prohibited" version=2 msg-type=32 from6=2001:172:16:200::6 to6=2001:172:16:200::34 deny_cause="sgsn-not-authorized" ietype=75 dtlexp="none" srcport=34612 dstport=2123 seqnum=1 tunnel-idx=0 imsi="021310123200000" msisdn="12345678900001" apn="apn2.com" selection="apns-vrf" imei-sv="unknown" rat-type="eutran" end-usr-address=11.0.1.50 headerteid=0 snetwork="222.333" cpaddr6=2001:10:1:100::33 cpteid=886008 uli="011000:222.333.1" ulimcc=222 ulimnc=333
date=2020-06-26 time=15:04:23 logid="1400041223" type="gtp" subtype="gtp-all" level="information" vd="vdom1" eventtime=1593209063197162647 tz="-0700" profile="gtpp" status="forwarded" version=2 msg-type=32 from6=2001:172:16:200::6 to6=2001:172:16:200::34 srcport=65372 dstport=2123 seqnum=1 tunnel-idx=4 imsi="021310123200000" msisdn="12345678900001" apn="apn2.com" selection="apns-vrf" imei-sv="unknown" rat-type="eutran" end-usr-address=11.0.1.50 headerteid=0 snetwork="222.333" cpaddr6=2001:10:1:100::33 cpteid=886008 uli="011000:222.333.1" ulimcc=222 ulimnc=333
date=2020-06-26 time=15:08:03 logid="1400041228" type="gtp" subtype="gtp-all" level="information" vd="vdom1" eventtime=1593209283529236672 tz="-0700" profile="gtpp" status="traffic-count" version=2 cpdladdr6=2001:10:1:100::33 cpdlteid=886008 cpdlisrteid=0 cpulteid=0 tunnel-idx=4 duration=220 c-pkts=1 c-bytes=262 u-pkts=0 u-bytes=0 imsi="021310123200000" msisdn="12345678900001" apn="apn2.com" selection="apns-vrf" imei-sv="unknown" rat-type="eutran" end-usr-address=11.0.1.50 snetwork="222.333" uli="011000:222.333.1" ulimcc=222 ulimnc=333