Fortinet black logo

FortiOS Carrier

Encapsulated non-IP end user traffic filtering

Encapsulated non-IP end user traffic filtering

Much of the traffic on the GPRS network is in the form of IP traffic. However some parts of the network do not use IP based addressing,

Depending on the installed environment, it may be beneficial to detect GTP packets that encapsulate non-IP based protocols. You can configure FortiOS Carrier to permit a list of acceptable protocols, with all other protocols denied.

The encoded protocol is determined in the PDP Type Organization and PDP Type Number fields within the End User Address Information Element. The PDP Type Organization is a 4-bit field that determines if the protocol is part of the ETSI or IETF organizations. Values are zero and one, respectively. The PDP Type field is one byte long. Both GTP specifications list only PPP, with a PDP Type value of one, as a valid ETSI protocol. PDP Types for the IETF values are determined in the “Assigned PPP DLL Protocol Numbers” sections of RFC1700. The PDP types are compressed, meaning that the most significant byte is skipped, limiting the protocols listed from 0x00 to 0xFF.

You can use the following command to enable IP traffic filtering and add IP traffic filtering policies to a GTP profile:

config firewall gtp

edit <name>

set noip-filter enable

set default-noip-action allow

config noip-policy

edit <id>

set type {etsi | ietf}

set start <protocl-number>

set end <protocl-number>

set action {allow | deny}

end

noip-filter enable or disable non-IP end user traffic filtering. Disabled by default.

default-noip-action select allow (the default) to allow all sessions except those blocked by individual non-IP filters. Select deny to block all non-IP sessions except those allowed by individual filters.

start and end are used to select an IP protocol number range. The range can be from 0 to 255.

Select a start and end protocol from the list of protocols in RFC 1700. Allowed range includes 0 to 255 (0x00 to 0xff). Some common protocols include:

  • 33 (0x0021) Internet Protocol
  • 35 (0x0023) OSI Network Layer
  • 63 (0x003f) NETBIOS Framing
  • 65 (0x0041) Cisco Systems
  • 79 (0x004f) IP6 Header Compression
  • 83 (0x0053) Encryption

action select whether to allow or deny traffic that matches the type and IP protocol range. The default is allow.

From the GUI

  1. To create a new non-IP end user traffic filtering, edit a GTP profile and open Encapsulated non-IP traffic filtering.

  2. Set the Default action to Allow or Deny.

  3. Select Create New to add a filter.

  4. Set the Type to ETSI or IETF.

  5. Enter the Start and End protocol numbers to define a protocol number range.

    Select a start and end protocol from the list of protocols in RFC 1700. Allowed range includes 0 to 255 (0x00 to 0xff). Some common protocols include:

    • 33 (0x0021) Internet Protocol
    • 35 (0x0023) OSI Network Layer
    • 63 (0x003f) NETBIOS Framing
    • 65 (0x0041) Cisco Systems
    • 79 (0x004f) IP6 Header Compression
    • 83 (0x0053) Encryption
  6. Set Action to Allow or Deny encapsulated non-IP end user traffic based on the selected type and protocol range.
  7. Select OK to save the filter.

Encapsulated non-IP end user traffic filtering

Much of the traffic on the GPRS network is in the form of IP traffic. However some parts of the network do not use IP based addressing,

Depending on the installed environment, it may be beneficial to detect GTP packets that encapsulate non-IP based protocols. You can configure FortiOS Carrier to permit a list of acceptable protocols, with all other protocols denied.

The encoded protocol is determined in the PDP Type Organization and PDP Type Number fields within the End User Address Information Element. The PDP Type Organization is a 4-bit field that determines if the protocol is part of the ETSI or IETF organizations. Values are zero and one, respectively. The PDP Type field is one byte long. Both GTP specifications list only PPP, with a PDP Type value of one, as a valid ETSI protocol. PDP Types for the IETF values are determined in the “Assigned PPP DLL Protocol Numbers” sections of RFC1700. The PDP types are compressed, meaning that the most significant byte is skipped, limiting the protocols listed from 0x00 to 0xFF.

You can use the following command to enable IP traffic filtering and add IP traffic filtering policies to a GTP profile:

config firewall gtp

edit <name>

set noip-filter enable

set default-noip-action allow

config noip-policy

edit <id>

set type {etsi | ietf}

set start <protocl-number>

set end <protocl-number>

set action {allow | deny}

end

noip-filter enable or disable non-IP end user traffic filtering. Disabled by default.

default-noip-action select allow (the default) to allow all sessions except those blocked by individual non-IP filters. Select deny to block all non-IP sessions except those allowed by individual filters.

start and end are used to select an IP protocol number range. The range can be from 0 to 255.

Select a start and end protocol from the list of protocols in RFC 1700. Allowed range includes 0 to 255 (0x00 to 0xff). Some common protocols include:

  • 33 (0x0021) Internet Protocol
  • 35 (0x0023) OSI Network Layer
  • 63 (0x003f) NETBIOS Framing
  • 65 (0x0041) Cisco Systems
  • 79 (0x004f) IP6 Header Compression
  • 83 (0x0053) Encryption

action select whether to allow or deny traffic that matches the type and IP protocol range. The default is allow.

From the GUI

  1. To create a new non-IP end user traffic filtering, edit a GTP profile and open Encapsulated non-IP traffic filtering.

  2. Set the Default action to Allow or Deny.

  3. Select Create New to add a filter.

  4. Set the Type to ETSI or IETF.

  5. Enter the Start and End protocol numbers to define a protocol number range.

    Select a start and end protocol from the list of protocols in RFC 1700. Allowed range includes 0 to 255 (0x00 to 0xff). Some common protocols include:

    • 33 (0x0021) Internet Protocol
    • 35 (0x0023) OSI Network Layer
    • 63 (0x003f) NETBIOS Framing
    • 65 (0x0041) Cisco Systems
    • 79 (0x004f) IP6 Header Compression
    • 83 (0x0053) Encryption
  6. Set Action to Allow or Deny encapsulated non-IP end user traffic based on the selected type and protocol range.
  7. Select OK to save the filter.