Adding GTPv2 policy filters to a GTP profile
Use the following command to add a GTPv2 policy filter to a GTP profile:
config firewall gtp
edit <name>
set policy-filter enable
set default-policy-action {allow | deny}
config policy-v2
edit <id>
set apnmember <apn-name>
set messages {create-ses-req create-sess-res modify-bearer-req modify-bearer-res}
set apn-sel-mode {ms net vrf}
set max-apn-restriction {all public-1 public-2 private-1 private-2}
set imsi-prefix <prefix>
set msisdn-prefix <prefix>
set rat-type {any utran geran wlan gan hspa eutran virtual nbiot item nr}
set mei <mei-pattern>
set action {allow | deny}
set uli <cgi-uli-pattern> <sal-uli-pattern> <rai-uli-pattern> <rai-uli-pattern> <ecgi-uli-pattern> <lai-uli-pattern>
end
Set default-policy-action
to allow
to allow traffic, then use config policy-v2
to create policy filters to filter the allowed traffic. Set default-policy-action
to deny
to block all traffic and then use config policy-v2
to create policy filters that match the traffic to be allowed.
You can include the *
wildcard character when adding MEI and ULI patterns. See the individual descriptions below for details.
apnmember <apn-name>
add an APN or APN group to the policy filter.
messages {create-ses-req create-sess-res modify-bearer-req modify-bearer-res}
select the content messages that the filter will match. Select one or more of the available options. Different policy filter options are available depending on the messages
setting.
-
create-sess-req
create session request (the default). If you just select this message, all policy filter options are available. -
create-sess-res
create session response. Only themax-apn-restriction
andaction
policy filter options are available. -
modify-bearer-req
modify bearer request. Only therat-type
,action
, anduli
policy filter options are available. -
modify-bearer-res
modify bearer response. Only themax-apn-restriction
andaction
policy filter options are available.
apn-sel-mode {ms net vrf}
by default, all three modes are selected and this cannot be changed.
-
ms
MS-provided APN, subscription not verified, indicates that the mobile station (MS) provided the APN and that the HSS did not verify the user's subscription to the network. -
net
Network-provided APN, subscription not verified, indicates that the network provided a default APN because the MS did not specify one, and that the HSS did not verify the user's subscription to the network. -
sub
MS or Network-provided APN, subscription verified, indicates that the MS or the network provided the APN and that the HSS verified the user's subscription to the network.
max-apn-restriction {all public-1 public-2 private-1 private-2}
select one or more of the following APN restrictions. For information about APN restrictions, see the GTPv2 spec 3GPP TS 29.274 V15.9.0, subsection 8.57 APN Restriction.
-
all
(the default) match all APNs with no restrictions. -
public-1
match the Public-1 APN used on your network, for example MMS. -
public-2
match your Public-2 APN used on your network, for example the internet. -
private-1
match your Private-1 APN used on your network, for example Corporate users who use MMS. -
private-2
match your Private-2 APN used on your network, for example Corporate users who do not use MMS.
imsi-prefix <prefix>
add an IMSI prefix.
msisdn-prefix <prefix>
add an MSISDN prefix.
rat-type {any utran geran wlan gan hspa eutran virtual nbiot item nr}
set the RAT Type as any combination of the following:
-
any
any RAT (the default) -
utran
UTRAN -
geran
GERAN -
wlan
WLAN -
gan
GAN -
hspa
HSPA -
eutran
EUTRAN -
virtual
Virtual -
nbiot
NB-IoT -
item
LTE-M -
nr
NR
mei <mei-pattern>
add a single MEI or an MEI pattern that includes the *
wildcard character to match multiple MEIs. The MEI uniquely identifies mobile hardware, and can be used to block stolen equipment.
A single MEI must be in three parts separated by a decimal point in the format: <8-digits>.<6-digits>.<1-or-2-digits>
. For example: 35349006.987300.1.
In each part of the MEI pattern the *
cannot be followed by a number. The following are some examples of valid MEI patterns:
35349006.*.*
*.987*.1
*.*.*
action {allow | deny}
allow (the default) or deny traffic matching this policy filter.
uli <cgi-uli-pattern> <sal-uli-pattern> <rai-uli-pattern> <rai-uli-pattern> <ecgi-uli-pattern> <lai-uli-pattern>
add up to six different types of GTPv2 universal location information (ULI) patterns, separated by a space.
All of the ULI patterns have the format <MCC>.<MNC>.<ID>.<[ID2]>
. MCC
and MNC
are decimal numbers of two or three digits (d
). ID
and ID2
are hexadecimal numbers of four digits (x
).
-
<cgi-uli-pattern>
a CGI ULI with the format<ddd>.<dd[d]>.<xxxx>.<xxxx>
. Example CGI ULI:123.12.0a0a.0F0F
. -
<sai-uli-pattern>
is an SAI ULI with the format<ddd>.<dd[d]>.<xxxx>.<xxxx>
. Example SAI ULI:523.235.0b0a.0E0F
. -
<rai-uli-pattern>
is a Routing Area Identity (RAI) ULI with the format<ddd>.<dd[d]>.<xxxx>.<xx>
. Example RAI ULI:456.45.0c0c.0c
. -
<tai-uli-pattern>
is a Tracking Area Identity (TAI) ULI with the format<ddd>.<dd[d]>.<xxxx>
. Example TAI ULI:505.02.d008
. -
<ecgi-uli-pattern>
is an E-UTRAN Cell Global Identifier (ECGI) ULI with the format<ddd><dd[d]>.<xxxxxxx>
. Example ECGI ULI:505.02.d008123
. -
<lai-uli-pattern>
is a Location Area Identifier (LAI) ULI with the format<ddd>.<dd[d]>.<xxxx>
. Example LAI ULI:345.08.d009
.
Example syntax that includes all of the ULIs:
set uli 123.12.0a0a.0F0F 456.45.0b0b.0E0E 456.45.0c0c.0c 505.02.d008 505.02.d008123 505.02.d009
If you do not need to include all six ULIs, you can enter a subset and use 0
as a placeholder for missing ULIs. You do not need to add trailing zeros. For example, if you only need to include a CGI and a SAI ULI, you can just enter the two ULIs as follows.
set uli 123.12.0a0a.0F0F 123.12.0a0a.0F0F
If you need to include a RAI and ECGI ULI, use 0s for the missing ULIs as follows:
set uli 0 0 456.45.0c0c.0c 0 505.02.d008123
You can also use the *
wildcard to create ULI patterns that match multiple ULIs. ULI patterns must include all of the required decimal points. In each part of the pattern the *
cannot be followed by a number.
Example CGI ULI pattern: 123.*.0a0a.0F0F
.
Example LAI ULI pattern: 345.08.d00*
.