Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiOS Carrier

    7.0.5
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.6
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.9
    5.6.0

    Adding GTPv0/v1 policy filters to a GTP profile

    Adding GTPv0/v1 policy filters to a GTP profile

    Use the following command to add an GTPv0/v1 policy filter to a GTP profile:

    config firewall gtp

    edit <name>

    set default-policy-action {allow | deny}

    config policy

    edit <id>

    set apnmember <apn-name>

    set messages {create-req create-res update-req update-res}

    set apn-sel-mode {ms net vrf}

    set max-apn-restriction {all public-1 public-2 private-1 private-2}

    set imsi-prefix <prefix>

    set msisdn-prefix <prefix>

    set rat-type {any utran geran wlan gan hspa eutran virtual nbiot}

    set imei <imei-pattern>

    set action {allow | deny}

    set rai <rai-pattern>

    set uli <uli-pattern>

    end

    Set default-policy-action to allow to allow traffic, then use config policy to create GTPv0/v1 policy filters to filter the allowed GTPv0/v1 traffic. Set default-policy-action to deny to block all traffic and then use config policy to create GTPv0/v1policy filters that match the GTPv0/v1f traffic to be allowed.

    Note

    The default-policy-action setting applies to both GTPv0/v1 and GTPv2 policy filters. GTPv2 policy filtering is only active if the policy-filter option is enabled.

    If you do not want your GTP profile to filter both GTPv0/v1 and GTPv2 traffic, you should disable the policy-filter option. If you enable the policy-filter option and set default-policy-action to deny and don't add a GTPv2 policy filter to your GTP profile, the GTP profile will block all GTPv2 traffic accepted by the firewall policy that the GTP profile is added to.

    You can include the * wildcard character when adding IMEI, RAI, and ULI patterns. See the individual descriptions below for details.

    apnmember <apn-name> add an APN or APN group to the policy filter.

    messages {create-req create-res update-req update-res} select the content messages that a filter will match. Select one or more of the available options. Different policy options are available depending on the messages setting.

    • create-req filter PDP context requests (the default). All policy filter options are available.
    • create-res filter PDP context responses. Only the max-apn-restriction and action policy filter options are available.
    • update-req filter update PDP context requests. Only the imsi-prefix, rat-type, action, rai, and uli policy filter options are available.
    • update-res filter update PDP context responses. Only the max-apn-restriction and action policy filter options are available.

    apn-sel-mode {ms net vrf} by default, all three modes are selected and this cannot be changed.

    • ms MS-provided APN, subscription not verified, indicates that the mobile station (MS) provided the APN and that the HLR/HSS did not verify the user's subscription to the network.
    • net Network-provided APN, subscription not verified, indicates that the network provided a default APN because the MS did not specify one, and that the HLR/HSS did not verify the user's subscription to the network.
    • sub MS or Network-provided APN, subscription verified, indicates that the MS or the network provided the APN and that the HLR/HSS verified the user's subscription to the network.

    max-apn-restriction {all public-1 public-2 private-1 private-2} select one or more of the following APN restrictions. For information about APN restrictions, see the GTPv1 spec 3GPP TS 29.060, section 7.7.49 APN Restriction.

    • all (the default) match all APNs, no restrictions
    • public-1 match the Public-1 APN used on your network, for example MMS.
    • public-2 match your Public-2 APN used on your network, for example the internet.
    • private-1 match your Private-1 APN used on your network, for example Corporate users who use MMS.
    • private-2 match your Private-2 APN used on your network, for example Corporate users who do not use MMS.

    imsi-prefix add an IMSI prefix.

    msisdn-prefix add an MSISDN prefix.

    rat-type select the Radio Access Technology (RAT) type as any combination of the following (some RAT types are GTPv1 specific). These fields control how a user accesses the carrier’s network:

    • any any RAT

    • utran UTRAN

    • geran GERAN

    • wlan WLAN

    • gan GAN

    • hspa HSPA

    • eutran EUTRAN

    • virtual Virtual

    • nbiot NB-IoT

    imei <imei-pattern> add a single IMEI or an IMEI pattern that includes the * wildcard character to match multiple IMEIs. The IMEI uniquely identifies mobile hardware, and can be used to block stolen equipment.

    A single IMEI must be in three parts separated by a decimal point in the format: <8-digits>.<6-digits>.<1-or-2-digits>. For example: 35349006.987300.1.

    IMEI patterns must include the three decimal points. In each part of the IMEI pattern the * cannot be followed by a number. The following are some examples of valid IMEI patterns:

    35349006.*.*

    *.987*.1

    *.*.*

    action {allow | deny} allow (the default) or deny traffic matching this policy filter.

    rai <rai-pattern> add a routing area identity (RAI) or an RAI pattern with the format <MCC>.<MNC>.<LAC>.<RAC>. The RAI must use the following number of digits (d) and hexadecimal numbers (x): <ddd>.<dd>.<xxxx>.<xx>. Example RAIs: 456.45.0c0c.0c and 123.12.abab.0F.

    You can use the * wildcard to create RAI patterns that match more than one RAIs, for example: 456.45.0c0c.*.

    There is only one SGSN per routing area on a carrier network. This is often used with a ULI to locate a user geographically on a carrier network.

    uli <uli-pattern> a user location identifier (ULI) or ULI pattern. The pattern can use one of the following formats:

    A CGI ULI is prefixed with a 0 and uses the following format: 0:<MCC>.<MNC>.<LAC>.<CI>.

    A SAI ULI is prefixed with a 1 and uses the following format: 1:<MCC>.<MNC>.<LAC>.<SAC>.

    Both ULI types use the following number of digits (d) and hexadecimal numbers (x): <ddd>.<dd>.<xxxx>.<xxxx>.

    Example CGI ULI: 0:465.23.0c0c.1f1f. Example SAI ULI: 1:189.23.1a2c.3d4f.

    You can also use the * wildcard to create ULI patterns that match multiple ULIs. ULI patterns must include all of the required decimal points. In each part of the pattern, the * cannot be followed by a number. Example SAI ULI pattern: 1:189.23.1a2*.3d4f.

    Often the ULI is used with the RAI to locate a user geographically on a carrier’s network.

    Previous
    Next

    Adding GTPv0/v1 policy filters to a GTP profile

    Adding GTPv0/v1 policy filters to a GTP profile

    Use the following command to add an GTPv0/v1 policy filter to a GTP profile:

    config firewall gtp

    edit <name>

    set default-policy-action {allow | deny}

    config policy

    edit <id>

    set apnmember <apn-name>

    set messages {create-req create-res update-req update-res}

    set apn-sel-mode {ms net vrf}

    set max-apn-restriction {all public-1 public-2 private-1 private-2}

    set imsi-prefix <prefix>

    set msisdn-prefix <prefix>

    set rat-type {any utran geran wlan gan hspa eutran virtual nbiot}

    set imei <imei-pattern>

    set action {allow | deny}

    set rai <rai-pattern>

    set uli <uli-pattern>

    end

    Set default-policy-action to allow to allow traffic, then use config policy to create GTPv0/v1 policy filters to filter the allowed GTPv0/v1 traffic. Set default-policy-action to deny to block all traffic and then use config policy to create GTPv0/v1policy filters that match the GTPv0/v1f traffic to be allowed.

    Note

    The default-policy-action setting applies to both GTPv0/v1 and GTPv2 policy filters. GTPv2 policy filtering is only active if the policy-filter option is enabled.

    If you do not want your GTP profile to filter both GTPv0/v1 and GTPv2 traffic, you should disable the policy-filter option. If you enable the policy-filter option and set default-policy-action to deny and don't add a GTPv2 policy filter to your GTP profile, the GTP profile will block all GTPv2 traffic accepted by the firewall policy that the GTP profile is added to.

    You can include the * wildcard character when adding IMEI, RAI, and ULI patterns. See the individual descriptions below for details.

    apnmember <apn-name> add an APN or APN group to the policy filter.

    messages {create-req create-res update-req update-res} select the content messages that a filter will match. Select one or more of the available options. Different policy options are available depending on the messages setting.

    • create-req filter PDP context requests (the default). All policy filter options are available.
    • create-res filter PDP context responses. Only the max-apn-restriction and action policy filter options are available.
    • update-req filter update PDP context requests. Only the imsi-prefix, rat-type, action, rai, and uli policy filter options are available.
    • update-res filter update PDP context responses. Only the max-apn-restriction and action policy filter options are available.

    apn-sel-mode {ms net vrf} by default, all three modes are selected and this cannot be changed.

    • ms MS-provided APN, subscription not verified, indicates that the mobile station (MS) provided the APN and that the HLR/HSS did not verify the user's subscription to the network.
    • net Network-provided APN, subscription not verified, indicates that the network provided a default APN because the MS did not specify one, and that the HLR/HSS did not verify the user's subscription to the network.
    • sub MS or Network-provided APN, subscription verified, indicates that the MS or the network provided the APN and that the HLR/HSS verified the user's subscription to the network.

    max-apn-restriction {all public-1 public-2 private-1 private-2} select one or more of the following APN restrictions. For information about APN restrictions, see the GTPv1 spec 3GPP TS 29.060, section 7.7.49 APN Restriction.

    • all (the default) match all APNs, no restrictions
    • public-1 match the Public-1 APN used on your network, for example MMS.
    • public-2 match your Public-2 APN used on your network, for example the internet.
    • private-1 match your Private-1 APN used on your network, for example Corporate users who use MMS.
    • private-2 match your Private-2 APN used on your network, for example Corporate users who do not use MMS.

    imsi-prefix add an IMSI prefix.

    msisdn-prefix add an MSISDN prefix.

    rat-type select the Radio Access Technology (RAT) type as any combination of the following (some RAT types are GTPv1 specific). These fields control how a user accesses the carrier’s network:

    • any any RAT

    • utran UTRAN

    • geran GERAN

    • wlan WLAN

    • gan GAN

    • hspa HSPA

    • eutran EUTRAN

    • virtual Virtual

    • nbiot NB-IoT

    imei <imei-pattern> add a single IMEI or an IMEI pattern that includes the * wildcard character to match multiple IMEIs. The IMEI uniquely identifies mobile hardware, and can be used to block stolen equipment.

    A single IMEI must be in three parts separated by a decimal point in the format: <8-digits>.<6-digits>.<1-or-2-digits>. For example: 35349006.987300.1.

    IMEI patterns must include the three decimal points. In each part of the IMEI pattern the * cannot be followed by a number. The following are some examples of valid IMEI patterns:

    35349006.*.*

    *.987*.1

    *.*.*

    action {allow | deny} allow (the default) or deny traffic matching this policy filter.

    rai <rai-pattern> add a routing area identity (RAI) or an RAI pattern with the format <MCC>.<MNC>.<LAC>.<RAC>. The RAI must use the following number of digits (d) and hexadecimal numbers (x): <ddd>.<dd>.<xxxx>.<xx>. Example RAIs: 456.45.0c0c.0c and 123.12.abab.0F.

    You can use the * wildcard to create RAI patterns that match more than one RAIs, for example: 456.45.0c0c.*.

    There is only one SGSN per routing area on a carrier network. This is often used with a ULI to locate a user geographically on a carrier network.

    uli <uli-pattern> a user location identifier (ULI) or ULI pattern. The pattern can use one of the following formats:

    A CGI ULI is prefixed with a 0 and uses the following format: 0:<MCC>.<MNC>.<LAC>.<CI>.

    A SAI ULI is prefixed with a 1 and uses the following format: 1:<MCC>.<MNC>.<LAC>.<SAC>.

    Both ULI types use the following number of digits (d) and hexadecimal numbers (x): <ddd>.<dd>.<xxxx>.<xxxx>.

    Example CGI ULI: 0:465.23.0c0c.1f1f. Example SAI ULI: 1:189.23.1a2c.3d4f.

    You can also use the * wildcard to create ULI patterns that match multiple ULIs. ULI patterns must include all of the required decimal points. In each part of the pattern, the * cannot be followed by a number. Example SAI ULI pattern: 1:189.23.1a2*.3d4f.

    Often the ULI is used with the RAI to locate a user geographically on a carrier’s network.

    Previous
    Next