Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiOS Carrier

    7.0.9
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.6
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.9
    5.6.0

    Configuring PFCP profiles

    Configuring PFCP profiles

    Use the following command to configure a PFCP profile:

    config firewall pfcp

    edit "pfcp-prf"

    set min-message-length <min-length>

    set max-message-length <max-length>

    set monitor-mode {disable | enable | vdom}

    set message-filter <filter-name>

    set pfcp-timeout <timeout>

    set unknown-version {allow | deny}

    set invalid-reserved-field {allow | deny}

    set forwarded-log {disable | enable}

    set denied-log {disable | enable}

    set traffic-count-log {disable | enable}

    set log-freq <frequency>

    end

    Option

    Description
    min-message-length
    max-message-length         		Define the acceptable message size range in bytes. Normally this is controlled by the protocol and will vary for different message types. If a packet is smaller or larger than this range, it is discarded as it is likely malformed and a potential security risk. The default ranges is 0 to 1452 bytes. For each option, the default is 0 which means no limit.
    monitor-mode {disable | enable | vdom}

    Enable or disable PFCP monitor mode or set the PFCP profile to VDOM monitor mode (the default).

    When enabled, if a PFCP packet is to be dropped due to a PFCP deny case, instead of being dropped, it will be forwarded and logged with the original deny log message and a -monitor suffix (for example, state-invalid-monitor).

    If you select vdom, the monitor mode for this profile is set for all PFCP profiles in the current VDOM by the following option:

    config system settings

    set pfcp-monitor-mode {disable | enable}

    end

    pfcp-monitor-mode is disabled by default.
    message-filter

    Select a PFCP message filter. Use the config pfcp message-filter command to create message filters. See Configuring PFCP message filters.
    pfcp-timeout

    The PFCP timeout (in seconds). The range is 0 to 4294967295 seconds. The default timeout is 86400 seconds. This option allows you to use the PFCP profile to customize the timer for PFCP sessions.
    unknown-version

    Allow or deny unknown version PFCP packets. Packets with unknown versions are allowed by default.
    invalid-reserved-field

    Allow or deny PFCP packets with invalid reserved packet header fields. Packets with invalid reserved packet header fields are denied by default.
    forwarded-log

    Enable or disable logging forwarded PFCP packets. Enabled by default.
    denied-log

    Enable or disable logging denied PFCP packets. Enabled by default.

    traffic-count-log

    Enable or disable logging session traffic counter. Enabled by default.

    log-freq control

    How often log messages are created for PFCP packets. The range is 0 to 4294967295. The default is 0 which means no frequency control.
    Previous
    Next

    Configuring PFCP profiles

    Configuring PFCP profiles

    Use the following command to configure a PFCP profile:

    config firewall pfcp

    edit "pfcp-prf"

    set min-message-length <min-length>

    set max-message-length <max-length>

    set monitor-mode {disable | enable | vdom}

    set message-filter <filter-name>

    set pfcp-timeout <timeout>

    set unknown-version {allow | deny}

    set invalid-reserved-field {allow | deny}

    set forwarded-log {disable | enable}

    set denied-log {disable | enable}

    set traffic-count-log {disable | enable}

    set log-freq <frequency>

    end

    Option

    Description
    min-message-length
    max-message-length         		Define the acceptable message size range in bytes. Normally this is controlled by the protocol and will vary for different message types. If a packet is smaller or larger than this range, it is discarded as it is likely malformed and a potential security risk. The default ranges is 0 to 1452 bytes. For each option, the default is 0 which means no limit.
    monitor-mode {disable | enable | vdom}

    Enable or disable PFCP monitor mode or set the PFCP profile to VDOM monitor mode (the default).

    When enabled, if a PFCP packet is to be dropped due to a PFCP deny case, instead of being dropped, it will be forwarded and logged with the original deny log message and a -monitor suffix (for example, state-invalid-monitor).

    If you select vdom, the monitor mode for this profile is set for all PFCP profiles in the current VDOM by the following option:

    config system settings

    set pfcp-monitor-mode {disable | enable}

    end

    pfcp-monitor-mode is disabled by default.
    message-filter

    Select a PFCP message filter. Use the config pfcp message-filter command to create message filters. See Configuring PFCP message filters.
    pfcp-timeout

    The PFCP timeout (in seconds). The range is 0 to 4294967295 seconds. The default timeout is 86400 seconds. This option allows you to use the PFCP profile to customize the timer for PFCP sessions.
    unknown-version

    Allow or deny unknown version PFCP packets. Packets with unknown versions are allowed by default.
    invalid-reserved-field

    Allow or deny PFCP packets with invalid reserved packet header fields. Packets with invalid reserved packet header fields are denied by default.
    forwarded-log

    Enable or disable logging forwarded PFCP packets. Enabled by default.
    denied-log

    Enable or disable logging denied PFCP packets. Enabled by default.

    traffic-count-log

    Enable or disable logging session traffic counter. Enabled by default.

    log-freq control

    How often log messages are created for PFCP packets. The range is 0 to 4294967295. The default is 0 which means no frequency control.
    Previous
    Next