Version:

Version:

Version:

Version:

Version:


Table of Contents

FortiOS Carrier

Adding GTPv0/v1 policy filters to a GTP profile

Use the following command to add an GTPv0/v1 policy filter to a GTP profile:

config firewall gtp

edit <name>

set policy-filter enable

set default-policy-action {allow | deny}

config policy

edit <id>

set apnmember <apn-name>

set messages {create-req create-res update-req update-res}

set apn-sel-mode {ms net vrf}

set max-apn-restriction {all public-1 public-2 private-1 private-2}

set imsi-prefix <prefix>

set msisdn-prefix <prefix>

set rat-type {any utran geran wlan gan hspa eutran virtual nbiot}

set imei <imei-pattern>

set action {allow | deny}

set rai <rai-pattern>

set uli <uli-pattern>

end

Set default-policy-action to allow to allow traffic, then use config policy to create policy filters to filter the allowed traffic. Set default-policy-action to deny to block all traffic and then use config policy to create policy filters that match the traffic to be allowed.

You can include the * wildcard character when adding IMEI, RAI, and ULI patterns. See the individual descriptions below for details.

apnmember <apn-name> add an APN or APN group to the policy filter.

messages {create-req create-res update-req update-res} select the content messages that a filter will match. Select one or more of the available options. Different policy options are available depending on the messages setting.

  • create-req filter PDP context requests (the default). All policy filter options are available.
  • create-res filter PDP context responses. Only the max-apn-restriction and action policy filter options are available.
  • update-req filter update PDP context requests. Only the imsi-prefix, rat-type, action, rai, and uli policy filter options are available.
  • update-res filter update PDP context responses. Only the max-apn-restriction and action policy filter options are available.

apn-sel-mode {ms net vrf} by default, all three modes are selected and this cannot be changed.

  • ms MS-provided APN, subscription not verified, indicates that the mobile station (MS) provided the APN and that the HLR/HSS did not verify the user's subscription to the network.
  • net Network-provided APN, subscription not verified, indicates that the network provided a default APN because the MS did not specify one, and that the HLR/HSS did not verify the user's subscription to the network.
  • sub MS or Network-provided APN, subscription verified, indicates that the MS or the network provided the APN and that the HLR/HSS verified the user's subscription to the network.

max-apn-restriction {all public-1 public-2 private-1 private-2} select one or more of the following APN restrictions. For information about APN restrictions, see the GTPv1 spec 3GPP TS 29.060, section 7.7.49 APN Restriction.

  • all (the default) match all APNs, no restrictions
  • public-1 match the Public-1 APN used on your network, for example MMS.
  • public-2 match your Public-2 APN used on your network, for example the internet.
  • private-1 match your Private-1 APN used on your network, for example Corporate users who use MMS.
  • private-2 match your Private-2 APN used on your network, for example Corporate users who do not use MMS.

imsi-prefix add an IMSI prefix.

msisdn-prefix add an MSISDN prefix.

rat-type select the Radio Access Technology (RAT) type as any combination of the following (some RAT types are GTPv1 specific). These fields control how a user accesses the carrier’s network:

  • any any RAT

  • utran UTRAN

  • geran GERAN

  • wlan WLAN

  • gan GAN

  • hspa HSPA

  • eutran EUTRAN

  • virtual Virtual

  • nbiot NB-IoT

imei <imei-pattern> add a single IMEI or an IMEI pattern that includes the * wildcard character to match multiple IMEIs. The IMEI uniquely identifies mobile hardware, and can be used to block stolen equipment.

A single IMEI must be in three parts separated by a decimal point in the format: <8-digits>.<6-digits>.<1-or-2-digits>. For example: 35349006.987300.1.

IMEI patterns must include the three decimal points. In each part of the IMEI pattern the * cannot be followed by a number. The following are some examples of valid IMEI patterns:

35349006.*.*

*.987*.1

*.*.*

action {allow | deny} allow (the default) or deny traffic matching this policy filter.

rai <rai-pattern> add a routing area identity (RAI) or an RAI pattern with the format <MCC>.<MNC>.<LAC>.<RAC>. The RAI must use the following number of digits (d) and hexadecimal numbers (x): <ddd>.<dd>.<xxxx>.<xx>. Example RAIs: 456.45.0c0c.0c and 123.12.abab.0F.

You can use the * wildcard to create RAI patterns that match more than one RAIs, for example: 456.45.0c0c.*.

There is only one SGSN per routing area on a carrier network. This is often used with a ULI to locate a user geographically on a carrier network.

uli <uli-pattern> a user location identifier (ULI) or ULI pattern. The pattern can use one of the following formats:

A CGI ULI is prefixed with a 0 and uses the following format: 0:<MCC>.<MNC>.<LAC>.<CI>.

A SAI ULI is prefixed with a 1 and uses the following format: 1:<MCC>.<MNC>.<LAC>.<SAC>.

Both ULI types use the following number of digits (d) and hexadecimal numbers (x): <ddd>.<dd>.<xxxx>.<xxxx>.

Example CGI ULI: 0:465.23.0c0c.1f1f. Example SAI ULI: 1:189.23.1a2c.3d4f.

You can also use the * wildcard to create ULI patterns that match multiple ULIs. ULI patterns must include all of the required decimal points. In each part of the pattern, the * cannot be followed by a number. Example SAI ULI pattern: 1:189.23.1a2*.3d4f.

Often the ULI is used with the RAI to locate a user geographically on a carrier’s network.

Adding GTPv0/v1 policy filters to a GTP profile

Use the following command to add an GTPv0/v1 policy filter to a GTP profile:

config firewall gtp

edit <name>

set policy-filter enable

set default-policy-action {allow | deny}

config policy

edit <id>

set apnmember <apn-name>

set messages {create-req create-res update-req update-res}

set apn-sel-mode {ms net vrf}

set max-apn-restriction {all public-1 public-2 private-1 private-2}

set imsi-prefix <prefix>

set msisdn-prefix <prefix>

set rat-type {any utran geran wlan gan hspa eutran virtual nbiot}

set imei <imei-pattern>

set action {allow | deny}

set rai <rai-pattern>

set uli <uli-pattern>

end

Set default-policy-action to allow to allow traffic, then use config policy to create policy filters to filter the allowed traffic. Set default-policy-action to deny to block all traffic and then use config policy to create policy filters that match the traffic to be allowed.

You can include the * wildcard character when adding IMEI, RAI, and ULI patterns. See the individual descriptions below for details.

apnmember <apn-name> add an APN or APN group to the policy filter.

messages {create-req create-res update-req update-res} select the content messages that a filter will match. Select one or more of the available options. Different policy options are available depending on the messages setting.

  • create-req filter PDP context requests (the default). All policy filter options are available.
  • create-res filter PDP context responses. Only the max-apn-restriction and action policy filter options are available.
  • update-req filter update PDP context requests. Only the imsi-prefix, rat-type, action, rai, and uli policy filter options are available.
  • update-res filter update PDP context responses. Only the max-apn-restriction and action policy filter options are available.

apn-sel-mode {ms net vrf} by default, all three modes are selected and this cannot be changed.

  • ms MS-provided APN, subscription not verified, indicates that the mobile station (MS) provided the APN and that the HLR/HSS did not verify the user's subscription to the network.
  • net Network-provided APN, subscription not verified, indicates that the network provided a default APN because the MS did not specify one, and that the HLR/HSS did not verify the user's subscription to the network.
  • sub MS or Network-provided APN, subscription verified, indicates that the MS or the network provided the APN and that the HLR/HSS verified the user's subscription to the network.

max-apn-restriction {all public-1 public-2 private-1 private-2} select one or more of the following APN restrictions. For information about APN restrictions, see the GTPv1 spec 3GPP TS 29.060, section 7.7.49 APN Restriction.

  • all (the default) match all APNs, no restrictions
  • public-1 match the Public-1 APN used on your network, for example MMS.
  • public-2 match your Public-2 APN used on your network, for example the internet.
  • private-1 match your Private-1 APN used on your network, for example Corporate users who use MMS.
  • private-2 match your Private-2 APN used on your network, for example Corporate users who do not use MMS.

imsi-prefix add an IMSI prefix.

msisdn-prefix add an MSISDN prefix.

rat-type select the Radio Access Technology (RAT) type as any combination of the following (some RAT types are GTPv1 specific). These fields control how a user accesses the carrier’s network:

  • any any RAT

  • utran UTRAN

  • geran GERAN

  • wlan WLAN

  • gan GAN

  • hspa HSPA

  • eutran EUTRAN

  • virtual Virtual

  • nbiot NB-IoT

imei <imei-pattern> add a single IMEI or an IMEI pattern that includes the * wildcard character to match multiple IMEIs. The IMEI uniquely identifies mobile hardware, and can be used to block stolen equipment.

A single IMEI must be in three parts separated by a decimal point in the format: <8-digits>.<6-digits>.<1-or-2-digits>. For example: 35349006.987300.1.

IMEI patterns must include the three decimal points. In each part of the IMEI pattern the * cannot be followed by a number. The following are some examples of valid IMEI patterns:

35349006.*.*

*.987*.1

*.*.*

action {allow | deny} allow (the default) or deny traffic matching this policy filter.

rai <rai-pattern> add a routing area identity (RAI) or an RAI pattern with the format <MCC>.<MNC>.<LAC>.<RAC>. The RAI must use the following number of digits (d) and hexadecimal numbers (x): <ddd>.<dd>.<xxxx>.<xx>. Example RAIs: 456.45.0c0c.0c and 123.12.abab.0F.

You can use the * wildcard to create RAI patterns that match more than one RAIs, for example: 456.45.0c0c.*.

There is only one SGSN per routing area on a carrier network. This is often used with a ULI to locate a user geographically on a carrier network.

uli <uli-pattern> a user location identifier (ULI) or ULI pattern. The pattern can use one of the following formats:

A CGI ULI is prefixed with a 0 and uses the following format: 0:<MCC>.<MNC>.<LAC>.<CI>.

A SAI ULI is prefixed with a 1 and uses the following format: 1:<MCC>.<MNC>.<LAC>.<SAC>.

Both ULI types use the following number of digits (d) and hexadecimal numbers (x): <ddd>.<dd>.<xxxx>.<xxxx>.

Example CGI ULI: 0:465.23.0c0c.1f1f. Example SAI ULI: 1:189.23.1a2c.3d4f.

You can also use the * wildcard to create ULI patterns that match multiple ULIs. ULI patterns must include all of the required decimal points. In each part of the pattern, the * cannot be followed by a number. Example SAI ULI pattern: 1:189.23.1a2*.3d4f.

Often the ULI is used with the RAI to locate a user geographically on a carrier’s network.