Fortinet black logo

FortiOS Carrier

7.0.0
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.6
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.9
5.6.0

Adding GTPv0/v1 policy filters to a GTP profile

Adding GTPv0/v1 policy filters to a GTP profile

Use the following command to add an GTPv0/v1 policy filter to a GTP profile:

config firewall gtp

edit <name>

set policy-filter enable

set default-policy-action {allow | deny}

config policy

edit <id>

set apnmember <apn-name>

set messages {create-req create-res update-req update-res}

set apn-sel-mode {ms net vrf}

set max-apn-restriction {all public-1 public-2 private-1 private-2}

set imsi-prefix <prefix>

set msisdn-prefix <prefix>

set rat-type {any utran geran wlan gan hspa eutran virtual nbiot}

set imei <imei-pattern>

set action {allow | deny}

set rai <rai-pattern>

set uli <uli-pattern>

end

Set default-policy-action to allow to allow traffic, then use config policy to create policy filters to filter the allowed traffic. Set default-policy-action to deny to block all traffic and then use config policy to create policy filters that match the traffic to be allowed.

You can include the * wildcard character when adding IMEI, RAI, and ULI patterns. See the individual descriptions below for details.

apnmember <apn-name> add an APN or APN group to the policy filter.

messages {create-req create-res update-req update-res} select the content messages that a filter will match. Select one or more of the available options. Different policy options are available depending on the messages setting.

  • create-req filter PDP context requests (the default). All policy filter options are available.
  • create-res filter PDP context responses. Only the max-apn-restriction and action policy filter options are available.
  • update-req filter update PDP context requests. Only the imsi-prefix, rat-type, action, rai, and uli policy filter options are available.
  • update-res filter update PDP context responses. Only the max-apn-restriction and action policy filter options are available.

apn-sel-mode {ms net vrf} by default, all three modes are selected and this cannot be changed.

  • ms MS-provided APN, subscription not verified, indicates that the mobile station (MS) provided the APN and that the HLR/HSS did not verify the user's subscription to the network.
  • net Network-provided APN, subscription not verified, indicates that the network provided a default APN because the MS did not specify one, and that the HLR/HSS did not verify the user's subscription to the network.
  • sub MS or Network-provided APN, subscription verified, indicates that the MS or the network provided the APN and that the HLR/HSS verified the user's subscription to the network.

max-apn-restriction {all public-1 public-2 private-1 private-2} select one or more of the following APN restrictions. For information about APN restrictions, see the GTPv1 spec 3GPP TS 29.060, section 7.7.49 APN Restriction.

  • all (the default) match all APNs, no restrictions
  • public-1 match the Public-1 APN used on your network, for example MMS.
  • public-2 match your Public-2 APN used on your network, for example the internet.
  • private-1 match your Private-1 APN used on your network, for example Corporate users who use MMS.
  • private-2 match your Private-2 APN used on your network, for example Corporate users who do not use MMS.

imsi-prefix add an IMSI prefix.

msisdn-prefix add an MSISDN prefix.

rat-type select the Radio Access Technology (RAT) type as any combination of the following (some RAT types are GTPv1 specific). These fields control how a user accesses the carrier’s network:

  • any any RAT

  • utran UTRAN

  • geran GERAN

  • wlan WLAN

  • gan GAN

  • hspa HSPA

  • eutran EUTRAN

  • virtual Virtual

  • nbiot NB-IoT

imei <imei-pattern> add a single IMEI or an IMEI pattern that includes the * wildcard character to match multiple IMEIs. The IMEI uniquely identifies mobile hardware, and can be used to block stolen equipment.

A single IMEI must be in three parts separated by a decimal point in the format: <8-digits>.<6-digits>.<1-or-2-digits>. For example: 35349006.987300.1.

IMEI patterns must include the three decimal points. In each part of the IMEI pattern the * cannot be followed by a number. The following are some examples of valid IMEI patterns:

35349006.*.*

*.987*.1

*.*.*

action {allow | deny} allow (the default) or deny traffic matching this policy filter.

rai <rai-pattern> add a routing area identity (RAI) or an RAI pattern with the format <MCC>.<MNC>.<LAC>.<RAC>. The RAI must use the following number of digits (d) and hexadecimal numbers (x): <ddd>.<dd>.<xxxx>.<xx>. Example RAIs: 456.45.0c0c.0c and 123.12.abab.0F.

You can use the * wildcard to create RAI patterns that match more than one RAIs, for example: 456.45.0c0c.*.

There is only one SGSN per routing area on a carrier network. This is often used with a ULI to locate a user geographically on a carrier network.

uli <uli-pattern> a user location identifier (ULI) or ULI pattern. The pattern can use one of the following formats:

A CGI ULI is prefixed with a 0 and uses the following format: 0:<MCC>.<MNC>.<LAC>.<CI>.

A SAI ULI is prefixed with a 1 and uses the following format: 1:<MCC>.<MNC>.<LAC>.<SAC>.

Both ULI types use the following number of digits (d) and hexadecimal numbers (x): <ddd>.<dd>.<xxxx>.<xxxx>.

Example CGI ULI: 0:465.23.0c0c.1f1f. Example SAI ULI: 1:189.23.1a2c.3d4f.

You can also use the * wildcard to create ULI patterns that match multiple ULIs. ULI patterns must include all of the required decimal points. In each part of the pattern, the * cannot be followed by a number. Example SAI ULI pattern: 1:189.23.1a2*.3d4f.

Often the ULI is used with the RAI to locate a user geographically on a carrier’s network.

Previous
Next

Adding GTPv0/v1 policy filters to a GTP profile

Use the following command to add an GTPv0/v1 policy filter to a GTP profile:

config firewall gtp

edit <name>

set policy-filter enable

set default-policy-action {allow | deny}

config policy

edit <id>

set apnmember <apn-name>

set messages {create-req create-res update-req update-res}

set apn-sel-mode {ms net vrf}

set max-apn-restriction {all public-1 public-2 private-1 private-2}

set imsi-prefix <prefix>

set msisdn-prefix <prefix>

set rat-type {any utran geran wlan gan hspa eutran virtual nbiot}

set imei <imei-pattern>

set action {allow | deny}

set rai <rai-pattern>

set uli <uli-pattern>

end

Set default-policy-action to allow to allow traffic, then use config policy to create policy filters to filter the allowed traffic. Set default-policy-action to deny to block all traffic and then use config policy to create policy filters that match the traffic to be allowed.

You can include the * wildcard character when adding IMEI, RAI, and ULI patterns. See the individual descriptions below for details.

apnmember <apn-name> add an APN or APN group to the policy filter.

messages {create-req create-res update-req update-res} select the content messages that a filter will match. Select one or more of the available options. Different policy options are available depending on the messages setting.

  • create-req filter PDP context requests (the default). All policy filter options are available.
  • create-res filter PDP context responses. Only the max-apn-restriction and action policy filter options are available.
  • update-req filter update PDP context requests. Only the imsi-prefix, rat-type, action, rai, and uli policy filter options are available.
  • update-res filter update PDP context responses. Only the max-apn-restriction and action policy filter options are available.

apn-sel-mode {ms net vrf} by default, all three modes are selected and this cannot be changed.

  • ms MS-provided APN, subscription not verified, indicates that the mobile station (MS) provided the APN and that the HLR/HSS did not verify the user's subscription to the network.
  • net Network-provided APN, subscription not verified, indicates that the network provided a default APN because the MS did not specify one, and that the HLR/HSS did not verify the user's subscription to the network.
  • sub MS or Network-provided APN, subscription verified, indicates that the MS or the network provided the APN and that the HLR/HSS verified the user's subscription to the network.

max-apn-restriction {all public-1 public-2 private-1 private-2} select one or more of the following APN restrictions. For information about APN restrictions, see the GTPv1 spec 3GPP TS 29.060, section 7.7.49 APN Restriction.

  • all (the default) match all APNs, no restrictions
  • public-1 match the Public-1 APN used on your network, for example MMS.
  • public-2 match your Public-2 APN used on your network, for example the internet.
  • private-1 match your Private-1 APN used on your network, for example Corporate users who use MMS.
  • private-2 match your Private-2 APN used on your network, for example Corporate users who do not use MMS.

imsi-prefix add an IMSI prefix.

msisdn-prefix add an MSISDN prefix.

rat-type select the Radio Access Technology (RAT) type as any combination of the following (some RAT types are GTPv1 specific). These fields control how a user accesses the carrier’s network:

  • any any RAT

  • utran UTRAN

  • geran GERAN

  • wlan WLAN

  • gan GAN

  • hspa HSPA

  • eutran EUTRAN

  • virtual Virtual

  • nbiot NB-IoT

imei <imei-pattern> add a single IMEI or an IMEI pattern that includes the * wildcard character to match multiple IMEIs. The IMEI uniquely identifies mobile hardware, and can be used to block stolen equipment.

A single IMEI must be in three parts separated by a decimal point in the format: <8-digits>.<6-digits>.<1-or-2-digits>. For example: 35349006.987300.1.

IMEI patterns must include the three decimal points. In each part of the IMEI pattern the * cannot be followed by a number. The following are some examples of valid IMEI patterns:

35349006.*.*

*.987*.1

*.*.*

action {allow | deny} allow (the default) or deny traffic matching this policy filter.

rai <rai-pattern> add a routing area identity (RAI) or an RAI pattern with the format <MCC>.<MNC>.<LAC>.<RAC>. The RAI must use the following number of digits (d) and hexadecimal numbers (x): <ddd>.<dd>.<xxxx>.<xx>. Example RAIs: 456.45.0c0c.0c and 123.12.abab.0F.

You can use the * wildcard to create RAI patterns that match more than one RAIs, for example: 456.45.0c0c.*.

There is only one SGSN per routing area on a carrier network. This is often used with a ULI to locate a user geographically on a carrier network.

uli <uli-pattern> a user location identifier (ULI) or ULI pattern. The pattern can use one of the following formats:

A CGI ULI is prefixed with a 0 and uses the following format: 0:<MCC>.<MNC>.<LAC>.<CI>.

A SAI ULI is prefixed with a 1 and uses the following format: 1:<MCC>.<MNC>.<LAC>.<SAC>.

Both ULI types use the following number of digits (d) and hexadecimal numbers (x): <ddd>.<dd>.<xxxx>.<xxxx>.

Example CGI ULI: 0:465.23.0c0c.1f1f. Example SAI ULI: 1:189.23.1a2c.3d4f.

You can also use the * wildcard to create ULI patterns that match multiple ULIs. ULI patterns must include all of the required decimal points. In each part of the pattern, the * cannot be followed by a number. Example SAI ULI pattern: 1:189.23.1a2*.3d4f.

Often the ULI is used with the RAI to locate a user geographically on a carrier’s network.

Previous
Next