Fortinet black logo

FortiOS Carrier

Home FortiGate / FortiOS 7.0.2 FortiOS Carrier

GTPv2 message filtering

7.0.2
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.6
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.9
5.6.0
Copy Link
Copy Doc ID 474edbc2-279e-11ec-8c53-00505692583a:198352
Download PDF

GTPv2 message filtering

Using GTPv2 message filtering you can configure a GTP profile to allow or deny different types of GTPv2 messages. All message types are allowed by default and you can create message filters to select messages to deny.

You can also use unknown message filtering to filter GTPv2 message types that FortiOS Carrier does not have message filtering options for. Unknown messages are usually new messages that are in use on your network but have only recently been added to GTPv2 by the 3GPP. These messages may be considered by the 3GPP as reserved or for future use.

You can set unknown-message to deny to block all unknown GTPv2 message types. If you set unknown-message to deny, you can allow selected unknown message types by adding the IDs of these message types to the unknown-message-white-list option.

For example, FortiOS Carrier does not have a message filter for message types 40 and 41: Remote UE Report Notification / Acknowledge. You can use the following configuration to create a GTPv2 message filter that denies unknown message types but allows message types 40 and 41:

config gtp message-filter-v2

edit <name>

set unknown-message deny

set unknown-message-white-list 40 41

end

From the CLI, use the following command to add GTPv2 message filtering to a GTP profile:

config firewall gtp

edit <name>

set message-filter-v2 <gtpv2-message-filter-name>

end

Use the following command to create a GTPv2 message filter:

config gtp message-filter-v2

edit <name>

set unknown-message {allow | deny}

set unknown-message-white-list {1 2 ... 255}

set echo {allow | deny}

set version-not-support {allow | deny}

set create-session {allow | deny}

set modify-bearer-req-resp {allow | deny}

set context-req-res-ack {allow | deny}

set forward-relocation-req-res {allow | deny}

set forward-relocation-cmp-notif-ack {allow | deny}

set delete-session {allow | deny}

set change-notification {allow | deny}

set modify-bearer-cmd-fail {allow | deny}

set delete-bearer-cmd-fail {allow | deny}

set bearer-resource-cmd-fail {allow | deny}

set trace-session {allow | deny}

set create-bearer {allow | deny}

set update-bearer {allow | deny}

set delete-bearer-req-resp {allow | deny}

set delete-pdn-connection-set {allow | deny}

set suspend {allow | deny}

set resume {allow | deny}

set update-pdn-connection-set {allow | deny}

end

From the GUI, create or edit a GTP profile, select Message Filtering, and select a message filter to add a GTPv2 message filter to the profile.

To create a GTPv2 message filter from the GUI, go to Security Profiles > GTP Message Filters and select Create New > Message filter for GTPv2.

The following table lists FortiOS Carrier GTPv2 message type filtering options and describes the GTPv2 message types and message IDs they apply to.

Message filtering option

GTPv2 message types and values
echo Echo request (1), Echo response (2).
version-not-support Version not supported (3).
create-session Create session request (32), Create session response (33).
modify-bearer-req-resp Modify bearer request (34), Modify bearer response (35).
delete-session Delete session request (36), Delete session response (37).
change-notification Change notification request (38), Change notification response (39).
modify-bearer-cmd-fail Modify bearer command (64), Modify bearer failure indication (65).
delete-bearer-cmd-fail Delete bearer command (66), Delete bearer failure indication (67).
bearer-resource-cmd-fail Bearer resource command (68), Bearer resource failure indication (69).
trace-session Trace session activation (71), Trace session deactivation (72).
create-bearer Create bearer request (95), Create bearer response (96).
update-bearer Update bearer request (97), Update bearer response (98).
delete-bearer-req-resp Delete bearer request (99), Delete bearer response (100).
delete-pdn-connection-set Delete PDN connection set request (101), Delete PDN connection set response (102).

context-req-res-ack

Context request (130), Context response (131) Context acknowledge (132).

forward-relocation-req-res

Forward relocation request (133), Forward relocation response (134).

forward-relocation-cmp-notif-ack

Forward relocation complete notification (135), Forward relocation complete acknowledge (136).
suspend Suspend notify (162), Suspend ack (163).
resume Resume notify (164) , Resume ack (165).
update-pdn-connection-set Update PDN connection set request (200), Update PDN connection set response (201).
Previous
Next

GTPv2 message filtering

Using GTPv2 message filtering you can configure a GTP profile to allow or deny different types of GTPv2 messages. All message types are allowed by default and you can create message filters to select messages to deny.

You can also use unknown message filtering to filter GTPv2 message types that FortiOS Carrier does not have message filtering options for. Unknown messages are usually new messages that are in use on your network but have only recently been added to GTPv2 by the 3GPP. These messages may be considered by the 3GPP as reserved or for future use.

You can set unknown-message to deny to block all unknown GTPv2 message types. If you set unknown-message to deny, you can allow selected unknown message types by adding the IDs of these message types to the unknown-message-white-list option.

For example, FortiOS Carrier does not have a message filter for message types 40 and 41: Remote UE Report Notification / Acknowledge. You can use the following configuration to create a GTPv2 message filter that denies unknown message types but allows message types 40 and 41:

config gtp message-filter-v2

edit <name>

set unknown-message deny

set unknown-message-white-list 40 41

end

From the CLI, use the following command to add GTPv2 message filtering to a GTP profile:

config firewall gtp

edit <name>

set message-filter-v2 <gtpv2-message-filter-name>

end

Use the following command to create a GTPv2 message filter:

config gtp message-filter-v2

edit <name>

set unknown-message {allow | deny}

set unknown-message-white-list {1 2 ... 255}

set echo {allow | deny}

set version-not-support {allow | deny}

set create-session {allow | deny}

set modify-bearer-req-resp {allow | deny}

set context-req-res-ack {allow | deny}

set forward-relocation-req-res {allow | deny}

set forward-relocation-cmp-notif-ack {allow | deny}

set delete-session {allow | deny}

set change-notification {allow | deny}

set modify-bearer-cmd-fail {allow | deny}

set delete-bearer-cmd-fail {allow | deny}

set bearer-resource-cmd-fail {allow | deny}

set trace-session {allow | deny}

set create-bearer {allow | deny}

set update-bearer {allow | deny}

set delete-bearer-req-resp {allow | deny}

set delete-pdn-connection-set {allow | deny}

set suspend {allow | deny}

set resume {allow | deny}

set update-pdn-connection-set {allow | deny}

end

From the GUI, create or edit a GTP profile, select Message Filtering, and select a message filter to add a GTPv2 message filter to the profile.

To create a GTPv2 message filter from the GUI, go to Security Profiles > GTP Message Filters and select Create New > Message filter for GTPv2.

The following table lists FortiOS Carrier GTPv2 message type filtering options and describes the GTPv2 message types and message IDs they apply to.

Message filtering option

GTPv2 message types and values
echo Echo request (1), Echo response (2).
version-not-support Version not supported (3).
create-session Create session request (32), Create session response (33).
modify-bearer-req-resp Modify bearer request (34), Modify bearer response (35).
delete-session Delete session request (36), Delete session response (37).
change-notification Change notification request (38), Change notification response (39).
modify-bearer-cmd-fail Modify bearer command (64), Modify bearer failure indication (65).
delete-bearer-cmd-fail Delete bearer command (66), Delete bearer failure indication (67).
bearer-resource-cmd-fail Bearer resource command (68), Bearer resource failure indication (69).
trace-session Trace session activation (71), Trace session deactivation (72).
create-bearer Create bearer request (95), Create bearer response (96).
update-bearer Update bearer request (97), Update bearer response (98).
delete-bearer-req-resp Delete bearer request (99), Delete bearer response (100).
delete-pdn-connection-set Delete PDN connection set request (101), Delete PDN connection set response (102).

context-req-res-ack

Context request (130), Context response (131) Context acknowledge (132).

forward-relocation-req-res

Forward relocation request (133), Forward relocation response (134).

forward-relocation-cmp-notif-ack

Forward relocation complete notification (135), Forward relocation complete acknowledge (136).
suspend Suspend notify (162), Suspend ack (163).
resume Resume notify (164) , Resume ack (165).
update-pdn-connection-set Update PDN connection set request (200), Update PDN connection set response (201).
Previous
Next