GTPv2 message filtering
Using GTPv2 message filtering you can configure a GTP profile to allow or deny different types of GTPv2 messages. All message types are allowed by default and you can create message filters to select messages to deny.
You can also use unknown message filtering to filter GTPv2 message types that FortiOS Carrier does not have message filtering options for. Unknown messages are usually new messages that are in use on your network but have only recently been added to GTPv2 by the 3GPP. These messages may be considered by the 3GPP as reserved or for future use.
You can set unknown-message
to deny
to block all unknown GTPv2 message types. If you set unknown-message
to deny
, you can allow selected unknown message types by adding the IDs of these message types to the unknown-message-white-list
option.
For example, FortiOS Carrier does not have a message filter for message types 40 and 41: Remote UE Report Notification / Acknowledge. You can use the following configuration to create a GTPv2 message filter that denies unknown message types but allows message types 40 and 41:
config gtp message-filter-v2
edit <name>
set unknown-message deny
set unknown-message-white-list 40 41
end
From the CLI, use the following command to add GTPv2 message filtering to a GTP profile:
config firewall gtp
edit <name>
set message-filter-v2 <gtpv2-message-filter-name>
end
Use the following command to create a GTPv2 message filter:
config gtp message-filter-v2
edit <name>
set unknown-message {allow | deny}
set unknown-message-white-list {1 2 ... 255}
set echo {allow | deny}
set version-not-support {allow | deny}
set create-session {allow | deny}
set modify-bearer-req-resp {allow | deny}
set delete-session {allow | deny}
set change-notification {allow | deny}
set modify-bearer-cmd-fail {allow | deny}
set delete-bearer-cmd-fail {allow | deny}
set bearer-resource-cmd-fail {allow | deny}
set trace-session {allow | deny}
set create-bearer {allow | deny}
set update-bearer {allow | deny}
set delete-bearer-req-resp {allow | deny}
set delete-pdn-connection-set {allow | deny}
set suspend {allow | deny}
set resume {allow | deny}
set update-pdn-connection-set {allow | deny}
end
From the GUI, create or edit a GTP profile, select Message Filtering, and select a message filter to add a GTPv2 message filter to the profile.
To create a GTPv2 message filter from the GUI, go to Security Profiles > GTP Message Filters and select Create New > Message filter for GTPv2.
The following table lists FortiOS Carrier GTPv2 message type filtering options and describes the GTPv2 message types and message IDs they apply to.
Message filtering option |
GTPv2 message types and values |
---|---|
echo
|
Echo request (1), Echo response (2). |
version-not-support
|
Version not supported (3). |
create-session
|
Create session request (32), Create session response (33). |
modify-bearer-req-resp
|
Modify bearer request (34), Modify bearer response 35). |
delete-session
|
Delete session request (36), Delete session response (37). |
change-notification
|
Change notification request (38), Change notification response (39). |
modify-bearer-cmd-fail
|
Modify bearer command (64), Modify bearer failure indication (65). |
delete-bearer-cmd-fail
|
Delete bearer command (66), Delete bearer failure indication (67). |
bearer-resource-cmd-fail
|
Bearer resource command (68), Bearer resource failure indication (69). |
trace-session
|
Trace session activation (71), Trace session deactivation (72). |
create-bearer
|
Create bearer request (95), Create bearer response (96). |
update-bearer
|
Update bearer request (97), Update bearer response (98). |
delete-bearer-req-resp
|
Delete bearer request (99), Delete bearer response (100). |
delete-pdn-connection-set
|
Delete PDN connection set request (101), Delete PDN connection set response (102). |
suspend
|
Suspend notify (162), Suspend ack (163). |
resume
|
Resume notify (164) , Resume ack (165). |
update-pdn-connection-set
|
Update PDN connection set request (200), Update PDN connection set response (201). |