Fortinet black logo

FortiOS Carrier

GTPv2 message filtering

GTPv2 message filtering

FortiOS Carrier supports message filtering for all GTPv2 message types as specified by 3GPP TS 29.274. Using GTPv2 message filtering you can configure a GTP profile to allow or deny different types of GTPv2 messages. All message types are allowed by default and you can create message filters to select messages to deny.

You can also use unknown message filtering to filter GTPv2 message types that FortiOS Carrier does not have message filtering options for. Unknown messages are usually new messages that are in use on your network but have only recently been added to GTPv2 by the 3GPP. These messages may be considered by the 3GPP as reserved or for future use.

You can set unknown-message to deny to block all unknown GTPv2 message types. If you set unknown-message to deny, you can allow selected unknown message types by adding the IDs of these message types to the unknown-message-white-list option.

For example, FortiOS Carrier does not have a message filter for message types 40 and 41: Remote UE Report Notification / Acknowledge. You can use the following configuration to create a GTPv2 message filter that denies unknown message types but allows message types 40 and 41:

config gtp message-filter-v2

edit <name>

set unknown-message deny

set unknown-message-white-list 40 41

end

From the CLI, use the following command to add GTPv2 message filtering to a GTP profile:

config firewall gtp

edit <name>

set message-filter-v2 <gtpv2-message-filter-name>

end

Use the following command to create a GTPv2 message filter:

config gtp message-filter-v2

edit <name>

set unknown-message {allow | deny}

set unknown-message-white-list {1 2 ... 255}

set echo {allow | deny}

set version-not-support {allow | deny}

set create-session {allow | deny}

set modify-bearer-req-resp {allow | deny}

set delete-session {allow | deny}

set change-notification {allow | deny}

set remote-ue-report-notif-ack {allow | deny}

set modify-bearer-cmd-fail {allow | deny}

set delete-bearer-cmd-fail {allow | deny}

set bearer-resource-cmd-fail {allow | deny}

set dlink-notif-failure {allow | deny}

set trace-session {allow | deny}

set stop-paging-indication {allow | deny}

set create-bearer {allow | deny}

set update-bearer {allow | deny}

set delete-bearer-req-resp {allow | deny}

set delete-pdn-connection-set {allow | deny}

set pgw-dlink-notif-ack {allow | deny}

set identification-req-resp {allow | deny}

set context-req-res-ack {allow | deny}

set forward-relocation-req-res {allow | deny}

set forward-relocation-cmp-notif-ack {allow | deny}

set forward-access-notif-ack {allow | deny}

set relocation-cancel-req-resp {allow | deny}

set configuration-transfer-tunnel {allow | deny}

set detach-notif-ack {allow | deny}

set cs-paging {allow | deny}

set ran-info-relay {allow | deny}

set alert-MME-notif-ack Alert {allow | deny}

set ue-activity-notif-ack {allow | deny}

set isr-status {allow | deny}

set ue-registration-query-req-resp {allow | deny}

set create-forwarding-tunnel-req-resp {allow | deny}

set suspend {allow | deny}

set resume {allow | deny}

set create-indirect-forwarding-tunnel-req-resp {allow | deny}

set delete-indirect-forwarding-tunnel-req-resp {allow | deny}

set release-access-bearer-req-resp {allow | deny}

set dlink-data-notif-ack {allow | deny}

set reserved-for-earlier-version {allow | deny}

set pgw-restart-notif-ack {allow | deny}

set update-pdn-connection-set {allow | deny}

set modify-access-req-resp {allow | deny}

set mbms-session-start-req-resp {allow | deny}

set mbms-session-update-req-resp {allow | deny}

set mbms-session-stop-req-resp {allow | deny}

end

From the GUI, create or edit a GTP profile, select Message Filtering, and select a message filter to add a GTPv2 message filter to the profile.

To create a GTPv2 message filter from the GUI, go to Security Profiles > GTP Message Filters and select Create New > Message filter for GTPv2.

The following table lists FortiOS Carrier GTPv2 message type filtering options and describes the GTPv2 message types and message IDs they apply to.

Message filtering option

GTPv2 message types and values

echo Echo request (1). Echo response (2).
version-not-support Version not supported (3).
create-session Create session request (32). Create session response (33).
modify-bearer-req-resp Modify bearer request (34). Modify bearer response (35).
delete-session Delete session request (36). Delete session response (37).
change-notification Change notification request (38). Change notification response (39).

remote-ue-report-notif-ack

Remote UE report notification (40). Remote UE report acknowledge (41).

modify-bearer-cmd-fail Modify bearer command (64). Modify bearer failure indication (65).
delete-bearer-cmd-fail Delete bearer command (66). Delete bearer failure indication (67).
bearer-resource-cmd-fail Bearer resource command (68). Bearer resource failure indication (69).

dlink-notif-failure

Downlink data notification failure indication (70).

trace-session Trace session activation (71). Trace session deactivation (72).

stop-paging-indication

Stop paging indication (73).

create-bearer Create bearer request (95). Create bearer response (96).
update-bearer Update bearer request (97). Update bearer response (98).
delete-bearer-req-resp Delete bearer request (99). Delete bearer response (100).
delete-pdn-connection-set Delete PDN connection set request (101). Delete PDN connection set response (102).

pgw-dlink-notif-ack

PGW downlink notification (103). PGW downlink acknowledge (104).

identification-req-resp

Identification request (128). Identification response (129).

context-req-res-ack

Context request (130). Context response (131). Context acknowledge (132).

forward-relocation-req-res

Forward relocation request (133). Forward relocation response (134).

forward-relocation-cmp-notif-ack

Forward relocation complete notification (135). Forward relocation complete acknowledge (136).

forward-access-notif-ack

Forward access context notification (137). Forward access context acknowledge (138).

relocation-cancel-req-resp

Relocation cancel request (139). Relocation cancel response (140).

configuration-transfer-tunnel

Configuration transfer tunnel (141).

detach-notif-ack

Detach notification (149). Detach acknowledge (150).

cs-paging

CS paging indication (151).

ran-info-relay

RAN information relay (152).

alert-MME-notif-ack

Alert MME notification (153). Alert MME acknowledge (154).

ue-activity-notif-ack

UE activity notification (155). UE activity Acknowledge (156).

isr-status

ISR status indication (157).

ue-registration-query-req-resp

UE registration query request (158). UE registration query response (159).

create-forwarding-tunnel-req-resp

Create forwarding tunnel request (160). Create forwarding tunnel response (161).

suspend Suspend notify (162). Suspend acknowledge (163).
resume Resume notify (164). Resume acknowledge (165).

create-indirect-forwarding-tunnel-req-resp

Create indirect data forwarding tunnel request (166). Create indirect data forwarding tunnel response (167).

delete-indirect-forwarding-tunnel-req-resp

Delete indirect data forwarding tunnel request (168). Delete indirect data forwarding tunnel response (169).

release-access-bearer-req-resp

Release access bearers request (170). Release access bearers response (171).

dlink-data-notif-ack

Downlink data notification (176). Downlink data acknowledge (177).

reserved-for-earlier-version

Reserved for earlier version of the GTP specification (178).

pgw-restart-notif-ack

PGW restart notification (179). PGW restart acknowledge (180).

update-pdn-connection-set Update PDN connection set request (200). Update PDN connection set response (201).

modify-access-req-resp

Modify access bearers request (211). Modify access bearers response (212).

mbms-session-start-req-resp

MBMS session start request (231). MBMS session start response (232).

mbms-session-update-req-resp

MBMS session update request (233). MBMS session update response (234).

mbms-session-stop-req-resp

MBMS session stop request (235). MBMS session stop response (236).

GTPv2 message filtering

FortiOS Carrier supports message filtering for all GTPv2 message types as specified by 3GPP TS 29.274. Using GTPv2 message filtering you can configure a GTP profile to allow or deny different types of GTPv2 messages. All message types are allowed by default and you can create message filters to select messages to deny.

You can also use unknown message filtering to filter GTPv2 message types that FortiOS Carrier does not have message filtering options for. Unknown messages are usually new messages that are in use on your network but have only recently been added to GTPv2 by the 3GPP. These messages may be considered by the 3GPP as reserved or for future use.

You can set unknown-message to deny to block all unknown GTPv2 message types. If you set unknown-message to deny, you can allow selected unknown message types by adding the IDs of these message types to the unknown-message-white-list option.

For example, FortiOS Carrier does not have a message filter for message types 40 and 41: Remote UE Report Notification / Acknowledge. You can use the following configuration to create a GTPv2 message filter that denies unknown message types but allows message types 40 and 41:

config gtp message-filter-v2

edit <name>

set unknown-message deny

set unknown-message-white-list 40 41

end

From the CLI, use the following command to add GTPv2 message filtering to a GTP profile:

config firewall gtp

edit <name>

set message-filter-v2 <gtpv2-message-filter-name>

end

Use the following command to create a GTPv2 message filter:

config gtp message-filter-v2

edit <name>

set unknown-message {allow | deny}

set unknown-message-white-list {1 2 ... 255}

set echo {allow | deny}

set version-not-support {allow | deny}

set create-session {allow | deny}

set modify-bearer-req-resp {allow | deny}

set delete-session {allow | deny}

set change-notification {allow | deny}

set remote-ue-report-notif-ack {allow | deny}

set modify-bearer-cmd-fail {allow | deny}

set delete-bearer-cmd-fail {allow | deny}

set bearer-resource-cmd-fail {allow | deny}

set dlink-notif-failure {allow | deny}

set trace-session {allow | deny}

set stop-paging-indication {allow | deny}

set create-bearer {allow | deny}

set update-bearer {allow | deny}

set delete-bearer-req-resp {allow | deny}

set delete-pdn-connection-set {allow | deny}

set pgw-dlink-notif-ack {allow | deny}

set identification-req-resp {allow | deny}

set context-req-res-ack {allow | deny}

set forward-relocation-req-res {allow | deny}

set forward-relocation-cmp-notif-ack {allow | deny}

set forward-access-notif-ack {allow | deny}

set relocation-cancel-req-resp {allow | deny}

set configuration-transfer-tunnel {allow | deny}

set detach-notif-ack {allow | deny}

set cs-paging {allow | deny}

set ran-info-relay {allow | deny}

set alert-MME-notif-ack Alert {allow | deny}

set ue-activity-notif-ack {allow | deny}

set isr-status {allow | deny}

set ue-registration-query-req-resp {allow | deny}

set create-forwarding-tunnel-req-resp {allow | deny}

set suspend {allow | deny}

set resume {allow | deny}

set create-indirect-forwarding-tunnel-req-resp {allow | deny}

set delete-indirect-forwarding-tunnel-req-resp {allow | deny}

set release-access-bearer-req-resp {allow | deny}

set dlink-data-notif-ack {allow | deny}

set reserved-for-earlier-version {allow | deny}

set pgw-restart-notif-ack {allow | deny}

set update-pdn-connection-set {allow | deny}

set modify-access-req-resp {allow | deny}

set mbms-session-start-req-resp {allow | deny}

set mbms-session-update-req-resp {allow | deny}

set mbms-session-stop-req-resp {allow | deny}

end

From the GUI, create or edit a GTP profile, select Message Filtering, and select a message filter to add a GTPv2 message filter to the profile.

To create a GTPv2 message filter from the GUI, go to Security Profiles > GTP Message Filters and select Create New > Message filter for GTPv2.

The following table lists FortiOS Carrier GTPv2 message type filtering options and describes the GTPv2 message types and message IDs they apply to.

Message filtering option

GTPv2 message types and values

echo Echo request (1). Echo response (2).
version-not-support Version not supported (3).
create-session Create session request (32). Create session response (33).
modify-bearer-req-resp Modify bearer request (34). Modify bearer response (35).
delete-session Delete session request (36). Delete session response (37).
change-notification Change notification request (38). Change notification response (39).

remote-ue-report-notif-ack

Remote UE report notification (40). Remote UE report acknowledge (41).

modify-bearer-cmd-fail Modify bearer command (64). Modify bearer failure indication (65).
delete-bearer-cmd-fail Delete bearer command (66). Delete bearer failure indication (67).
bearer-resource-cmd-fail Bearer resource command (68). Bearer resource failure indication (69).

dlink-notif-failure

Downlink data notification failure indication (70).

trace-session Trace session activation (71). Trace session deactivation (72).

stop-paging-indication

Stop paging indication (73).

create-bearer Create bearer request (95). Create bearer response (96).
update-bearer Update bearer request (97). Update bearer response (98).
delete-bearer-req-resp Delete bearer request (99). Delete bearer response (100).
delete-pdn-connection-set Delete PDN connection set request (101). Delete PDN connection set response (102).

pgw-dlink-notif-ack

PGW downlink notification (103). PGW downlink acknowledge (104).

identification-req-resp

Identification request (128). Identification response (129).

context-req-res-ack

Context request (130). Context response (131). Context acknowledge (132).

forward-relocation-req-res

Forward relocation request (133). Forward relocation response (134).

forward-relocation-cmp-notif-ack

Forward relocation complete notification (135). Forward relocation complete acknowledge (136).

forward-access-notif-ack

Forward access context notification (137). Forward access context acknowledge (138).

relocation-cancel-req-resp

Relocation cancel request (139). Relocation cancel response (140).

configuration-transfer-tunnel

Configuration transfer tunnel (141).

detach-notif-ack

Detach notification (149). Detach acknowledge (150).

cs-paging

CS paging indication (151).

ran-info-relay

RAN information relay (152).

alert-MME-notif-ack

Alert MME notification (153). Alert MME acknowledge (154).

ue-activity-notif-ack

UE activity notification (155). UE activity Acknowledge (156).

isr-status

ISR status indication (157).

ue-registration-query-req-resp

UE registration query request (158). UE registration query response (159).

create-forwarding-tunnel-req-resp

Create forwarding tunnel request (160). Create forwarding tunnel response (161).

suspend Suspend notify (162). Suspend acknowledge (163).
resume Resume notify (164). Resume acknowledge (165).

create-indirect-forwarding-tunnel-req-resp

Create indirect data forwarding tunnel request (166). Create indirect data forwarding tunnel response (167).

delete-indirect-forwarding-tunnel-req-resp

Delete indirect data forwarding tunnel request (168). Delete indirect data forwarding tunnel response (169).

release-access-bearer-req-resp

Release access bearers request (170). Release access bearers response (171).

dlink-data-notif-ack

Downlink data notification (176). Downlink data acknowledge (177).

reserved-for-earlier-version

Reserved for earlier version of the GTP specification (178).

pgw-restart-notif-ack

PGW restart notification (179). PGW restart acknowledge (180).

update-pdn-connection-set Update PDN connection set request (200). Update PDN connection set response (201).

modify-access-req-resp

Modify access bearers request (211). Modify access bearers response (212).

mbms-session-start-req-resp

MBMS session start request (231). MBMS session start response (232).

mbms-session-update-req-resp

MBMS session update request (233). MBMS session update response (234).

mbms-session-stop-req-resp

MBMS session stop request (235). MBMS session stop response (236).