Fortinet white logo
Fortinet white logo

FortiOS Carrier

Encapsulated IP traffic filtering

Encapsulated IP traffic filtering

Encapsulated traffic on the GPRS network can come in a number of forms as it includes traffic that is “wrapped up” in another protocol. This detail is important for firewalls because it requires “unwrapping” to properly scan the data inside. If encapsulated packets are treated as regular packets, that inside layer will never be scanned and may allow malicious data into your network.

Generally there are a very limited number of IP addresses that are allowed to encapsulate GPRS traffic. For example GTP tunnels are a valid type of encapsulation when used properly. This is the GTP tunnel which uses the Gp or Gn interfaces between SGSNs and GGSNs or S5/S8 between SGWs and PGWs. However, a GTP tunnel within a GTP tunnel is not accessible — FortiOS Carrier will either block or forward the traffic, but is not able to open it for inspection.

You can use encapsulated IP traffic filtering (also just called IP filtering) to filter GTP sessions based on information contained in the data stream to control data flows within your infrastructure. You can configure IP filtering rules to filter encapsulated IP traffic from mobile stations according to source and destination IP addresses.

You can use the following command to enable encapsulated IP traffic filtering and add IP traffic filtering policies to a GTP profile:

config firewall gtp

edit <name>

set ip-filter enable

set default-ip-action allow

config ip-policy

edit <id>

set srcaddr <address>

set dstaddr <address>

set srcaddr6 <address>

set dstaddr6 <address>

set action {deny | allow}

end

ip-filter enable or disable encapsulated IP traffic filtering. Disabled by default.

default-ip-action select allow (the default) to allow all sessions except those blocked by individual IP filters. Select deny to block all sessions except those allowed by individual IP filters.

srcaddr, dstaddr, srcaddr6, and dstaddr6 select IPv4 and IPv6 firewall addresses or address groups to match the source and destination addresses of the traffic to be allowed or denied according to the action. You must select an address for each option. Select all to match all addresses. Select none to match no addresses. For example, if you want to create a filter that only filters IPv4 addresses, for srcaddr6, and dstaddr6 select none.

action select whether to allow or deny traffic that matches the source and destination addresses. The default is allow.

From the GUI:

  1. To create a new encapsulated IP traffic filter in a GTP profile, open Encapsulated IP traffic filtering and select Create New.
  2. Select a Source firewall address or address group.
  3. Select a Destination firewall address or address group.
  4. Set Action to Allow or Deny encapsulated traffic between the source and destination addresses.
  5. Select OK to save the filter.

Encapsulated IP traffic filtering

Encapsulated IP traffic filtering

Encapsulated traffic on the GPRS network can come in a number of forms as it includes traffic that is “wrapped up” in another protocol. This detail is important for firewalls because it requires “unwrapping” to properly scan the data inside. If encapsulated packets are treated as regular packets, that inside layer will never be scanned and may allow malicious data into your network.

Generally there are a very limited number of IP addresses that are allowed to encapsulate GPRS traffic. For example GTP tunnels are a valid type of encapsulation when used properly. This is the GTP tunnel which uses the Gp or Gn interfaces between SGSNs and GGSNs or S5/S8 between SGWs and PGWs. However, a GTP tunnel within a GTP tunnel is not accessible — FortiOS Carrier will either block or forward the traffic, but is not able to open it for inspection.

You can use encapsulated IP traffic filtering (also just called IP filtering) to filter GTP sessions based on information contained in the data stream to control data flows within your infrastructure. You can configure IP filtering rules to filter encapsulated IP traffic from mobile stations according to source and destination IP addresses.

You can use the following command to enable encapsulated IP traffic filtering and add IP traffic filtering policies to a GTP profile:

config firewall gtp

edit <name>

set ip-filter enable

set default-ip-action allow

config ip-policy

edit <id>

set srcaddr <address>

set dstaddr <address>

set srcaddr6 <address>

set dstaddr6 <address>

set action {deny | allow}

end

ip-filter enable or disable encapsulated IP traffic filtering. Disabled by default.

default-ip-action select allow (the default) to allow all sessions except those blocked by individual IP filters. Select deny to block all sessions except those allowed by individual IP filters.

srcaddr, dstaddr, srcaddr6, and dstaddr6 select IPv4 and IPv6 firewall addresses or address groups to match the source and destination addresses of the traffic to be allowed or denied according to the action. You must select an address for each option. Select all to match all addresses. Select none to match no addresses. For example, if you want to create a filter that only filters IPv4 addresses, for srcaddr6, and dstaddr6 select none.

action select whether to allow or deny traffic that matches the source and destination addresses. The default is allow.

From the GUI:

  1. To create a new encapsulated IP traffic filter in a GTP profile, open Encapsulated IP traffic filtering and select Create New.
  2. Select a Source firewall address or address group.
  3. Select a Destination firewall address or address group.
  4. Set Action to Allow or Deny encapsulated traffic between the source and destination addresses.
  5. Select OK to save the filter.