GTPv0/v1 message filtering
FortiOS Carrier supports message filtering for all GTPv0/v1 message types as defined by 3GPP TS 29.060. Using GTPv0/v1 message filtering you can configure a GTP profile to allow or deny different types of GTPv0/v1 messages. All message types are allowed by default and you can create message filters to select message types to deny.
You can also use unknown message filtering to filter GTPv0v1 message types that FortiOS Carrier does not have message filtering options for. Unknown messages are usually new messages that are in use on your network but have only recently been added to GTPv0v1 by the 3GPP. These messages may be considered by the 3GPP as reserved or for future use.
You can set unknown-message
to deny
to block all unknown GTPv0/v1 message types. If you set unknown-message
to deny
, you can allow selected unknown message types by adding the IDs of these message types to the unknown-message-white-list
option.
From the CLI, use the following command to add GTPv0/v1 message filtering to a GTP profile:
config firewall gtp
edit <name>
set message-filter-v0v1 <gtpv0v1-message-filter-name>
end
Use the following command to create a GTPv0/v1 message filter:
config gtp message-filter-v0v1
edit <name>
set unknown-message {allow | deny}
set unknown-message-white-list {1 2 ... 255}
set echo {allow | deny}
set version-not-support {allow | deny}
set node-alive {allow | deny}
set redirection {allow | deny}
set create-pdp {allow | deny}
set update-pdp {allow | deny}
set delete-pdp {allow | deny}
set v0-create-aa-pdp--v1-init-pdp-ctx {allow | deny}
set delete-aa-pdp {allow | deny}
set error-indication {allow | deny}
set pdu-notification {allow | deny}
set support-extension {allow | deny}
set send-route {allow | deny}
set failure-report {allow | deny}
set note-ms-present {allow | deny}
set identification {allow | deny}
set sgsn-context {allow | deny}
set fwd-relocation {allow | deny}
set relocation-cancel {allow | deny}
set fwd-srns-context {allow | deny}
set ue-registration-query {allow | deny}
set ran-info {allow | deny}
set mbms-notification {allow | deny}
set create-mbms {allow | deny}
set update-mbms {allow | deny}
set delete-mbms {allow | deny}
set mbms-registration {allow | deny}
set mbms-de-registration {allow | deny}
set mbms-session-start {allow | deny}
set mbms-session-stop {allow | deny}
set mbms-session-update {allow | deny}
set ms-info-change-notif {allow | deny}
set data-record {allow | deny}
set end-marker {allow | deny}
set gtp-pdu {allow | deny}
end
From the GUI, create or edit a GTP profile, select Message Filtering, and select a message filter to add a GTPv0/v1 message filter to the profile.
To create a GTPv0/v1 message filter from the GUI, go to Security Profiles > GTP Message Filters and select Create New > Message filter for GTPv0/v1.
The following table lists FortiOS Carrier GTPv0v1 message filtering options and describes the GTPv0v1 message types and message IDs they apply to.
Message filtering option |
GTPv0/v1 message types and values |
---|---|
echo
|
Echo request (1) and Echo response (2). |
version-not-support
|
Version not supported (3). |
node-alive
|
Node alive request (4). Node alive response (5). |
redirection
|
Redirection request (6). Redirection response (7). |
create-pdp
|
Create PDP context request (16). Create PDP context response (17). |
update-pdp
|
Update PDP context request (18). Update PDP context response (19). |
delete-pdp
|
Delete PDP context request (20). Delete PDP context response (21). |
v0-create-aa-pdp--v1-init-pdp-ctx
|
GTPv0: Create AA PDP context request (22). Create AA PDP context response (23). or GTPv1: Initiate PDP context activation request (22). Initiate PDP context activation response (23). |
delete-aa-pdp
|
GTPv0: Delete AA PDP context request (24). Delete AA PDP context request response (25). |
error-indication
|
Error indication (26). |
pdu-notification
|
PDU notification request (27). PDU notification response (28). Reject PDU notification request (29). Reject PDU notification response (30). |
support-extension
|
GTPv1 Supported extension headers notify (31). |
send-route
|
Send routing information for GPRS request (32). Send routing information for GPRS response (33). |
failure-report
|
Failure report request (34). Failure report response (35). |
note-ms-present
|
Note MS GPRS present request (36). Note MS GPRS present response (37). |
identification
|
Identification request (48). Identification response (49). |
sgsn-context
|
SGSN context request (50). SGSN context response (51). SGSN context ack (52). |
fwd-relocation
|
GTPv1: Forward relocation request (53). Forward relocation response (54). Forward relocation complete (55). Forward relocation complete ack (59). |
relocation-cancel
|
GTPv1: Relocation cancel request (56). Relocation cancel response (57). |
fwd-srns-context
|
GTPv1: Forward SRNS context (58). Forward SRNS context ack 60). |
|
UE Registration Query request (61). UE Registration Query response (62). |
ran-info
|
GTPv1: RAN information relay (70). |
mbms-notification
|
GTPv1: MBMS notification request (96). MBMS notification response (97). MBMS notification reject request (98). MBMS notification reject response (99). |
create-mbms
|
GTPv1: Create MBMS context request (100) Create MBMS context response (101). |
update-mbms
|
GTPv1: Update MBMS context request (102) Update MBMS context response (103). |
delete-mbms
|
GTPv1: Delete MBMS context request (104). Delete MBMS context response (105). |
mbms-registration
|
GTPv1: MBMS registration (request 112, response 113). |
mbms-de-registration
|
GTPv1: MBMS de-registration request (114) MBMS de-registration response (115). |
mbms-session-start
|
GTPv1: MBMS session start request (116). MBMS session start response (117). |
mbms-session-stop
|
GTPv1: MBMS session stop request (118). MBMS session stop response (119). |
mbms-session-update
|
GTPv1 MBMS session update request (120). MBMS session update response (121). |
ms-info-change-notif
|
GTPv1: MS info change notification request (128). MS info change notification response (129). |
data-record
|
Data record transfer (request 240, response 241). |
end-marker
|
GTPv1: End marker (254). |
gtp-pdu
|
G-PDU (255). |