Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

FortiOS Carrier

General GTP profile settings

The following general settings are available when creating and editing GTP profiles from the CLI.

A subset of these settings is also available when editing a GTP profile on the GUI. To configure GTP profile general settings from the GUI, edit a GTP profile and open General Settings.

config firewall gtp

edit <name>

set gtp-in-gtp {allow | deny}

set min-message-length <length>

set max-message-length <length>

set tunnel-limit <number-of-tunnels>

set tunnel-timeout <time>

set control-plane-message-rate-limit <packets-per-second>

set handover-group <firewall-address>

set authorized-sgsns <firewall-address>

set invalid-sgsns-to-log <firewall-address>

set authorized-ggsns <firewall-address>

set remove-if-echo-expires (disable | enable}

set remove-if-recovery-differ (disable | enable}

set send-delete-when-timeout (disable | enable}

set send-delete-when-timeout-v2 (disable | enable}

set unknown-version-action {allow | deny}

set echo-request-interval <time>

set half-open-timeout <timeout>

set half-close-timeout <timeout>

set monitor-mode {disable | enable | vdom}

end

Option

Description

gtp-in-gtp On the GUI: General Settings > GTP-in-GTP. Select allow to enable GTP packets to be allowed to contain GTP packets, or a GTP tunnel inside another GTP tunnel. To block all GTP-in-GTP packets, select deny.
min-message-length
max-message-length
On the GUI: General Settings >Message length. Define the acceptable message size range in bytes. Normally this is controlled by the protocol, and will vary for different message types. If a packet is smaller or larger than this range, it is discarded as it is likely malformed and a potential security risk. The default ranges is 0 to 1452 bytes.
tunnel-limit On the GUI: General Settings > Tunnel limit. See GTP tunnel limiting.
tunnel-timeout On the GUI: General Settings > Tunnel timeout. Enter the maximum number of seconds that a GTP tunnel is allowed to remain active. After the timeout, FortiOS Carrier deletes GTP tunnels that have stopped processing data. A GTP tunnel may hang for various reasons. For example, during the GTP tunnel tear-down stage, the delete pdap context response message may get lost. By setting a timeout value, FortiOS Carrier will remove hanging tunnels. The default is 86400 seconds, or 24 hours.
control-plane-message-rate-limit On the GUI: General Settings > Control plane message rate limit. Enter the number of packets per second to limit the traffic rate to protect the GSNs from possible Denial of Service (DoS) attacks. The default limit of 0 does not limit the message rate. GTP DoS attacks can include: Border gateway bandwidth saturation: A malicious operator can connect to your IPX/GRX and generate high traffic towards your Border Gateway to consume all the bandwidth. GTP flood: A GSN can be flooded by illegitimate traffic
handover-group On the GUI: General Settings > Handover group. Select the firewall address that contains the list of IP addresses allowed to take over a GTP session when the mobile device moves locations. Handover is a fundamental feature of GPRS/UMTS, which enables subscribers to seamlessly move from one area of coverage to another with no interruption of active sessions. Session hijacking can come from the SGSN or the GGSN, where a fraudulent GSN can intercept another GSN and redirect traffic to it. This can be exploited to hijack GTP tunnels or cause a denial of service. When the handover group is defined it acts like an allow list with an implicit default deny at the end — the GTP address must be in the group or the GTP message will be blocked. This stops handover requests from untrusted GSNs.
authorized-sgsns On the GUI: General Settings > Authorized SGSNs. Select a firewall address that only allows authorized SGSNs and SGWs that match the firewall address to send packets through FortiOS Carrier and to block unauthorized SGSNs and SGWs. You can use authorized SGSNs to allow packets from SGSNs or SGWs that have a roaming agreement with your organization.
invalid-sgsns-to-log Select a firewall address to match invalid SGSNs and record an invalid SGSN log message when a matching invalid SGSN is found.
authorized-ggsns On the GUI: General Settings > Authorized GGSNs. Select a firewall address that only allows authorized GGSNs or PGWs to send packets through the unit and to block unauthorized GGSNs. You can use authorized GGSNs or PGWs to allow packets from GGSNs or PGWs that have a roaming agreement with your organization.
remove-if-echo-expires Enable to remove sessions if the echo response expires. Disabled by default.
remove-if-recovery-differ Enable to remove a session if the recovery IE is different. Disabled by default.
send-delete-when-timeout Enable to send a DELETE request to path endpoints when a GTPv0/v1 tunnel times out. Disabled by default.
send-delete-when-timeout-v2 Enable to send a DELETE request to path endpoints when a GTPv2 tunnel times out. Disabled by default.
unknown-version-action Allow or deny sessions with unknown GTP versions. Unknown GTP versions are allowed by default.
echo-request-interval Set the amount of time to wait for an echo request. The default is 0, which means no limit on the amount of time to wait for an echo request.
half-open-timeout Set the half-open timeout in seconds for GTP sessions. The range is 1 to 300 and the default is 300. This option allows you to use the GTP profile to customize the half-open timer for GTP sessions.
half-close-timeout Set the half-close timeout in seconds for GTP sessions. The range is 1 to 30 and the default is 10. This option allows you to use the GTP profile to customize the half-close timer for GTP sessions.

monitor-mode

Set the GTP monitor mode for all GTP versions. You can enable or disable global monitoring mode or select vdom (the default) to select monitoring mode per VDOM.

When enabled, if a GTP packet is to be dropped due to a GTP deny case such as:

  • GTP_DENY
  • GTP_RATE_LIMIT
  • GTP_STATE_INVALID
  • GTP_TUNNEL_LIMIT

instead of being dropped, it will be forwarded and logged with the original deny log message and a -monitor suffix (for example, state-invalid-monitor).

General GTP profile settings

The following general settings are available when creating and editing GTP profiles from the CLI.

A subset of these settings is also available when editing a GTP profile on the GUI. To configure GTP profile general settings from the GUI, edit a GTP profile and open General Settings.

config firewall gtp

edit <name>

set gtp-in-gtp {allow | deny}

set min-message-length <length>

set max-message-length <length>

set tunnel-limit <number-of-tunnels>

set tunnel-timeout <time>

set control-plane-message-rate-limit <packets-per-second>

set handover-group <firewall-address>

set authorized-sgsns <firewall-address>

set invalid-sgsns-to-log <firewall-address>

set authorized-ggsns <firewall-address>

set remove-if-echo-expires (disable | enable}

set remove-if-recovery-differ (disable | enable}

set send-delete-when-timeout (disable | enable}

set send-delete-when-timeout-v2 (disable | enable}

set unknown-version-action {allow | deny}

set echo-request-interval <time>

set half-open-timeout <timeout>

set half-close-timeout <timeout>

set monitor-mode {disable | enable | vdom}

end

Option

Description

gtp-in-gtp On the GUI: General Settings > GTP-in-GTP. Select allow to enable GTP packets to be allowed to contain GTP packets, or a GTP tunnel inside another GTP tunnel. To block all GTP-in-GTP packets, select deny.
min-message-length
max-message-length
On the GUI: General Settings >Message length. Define the acceptable message size range in bytes. Normally this is controlled by the protocol, and will vary for different message types. If a packet is smaller or larger than this range, it is discarded as it is likely malformed and a potential security risk. The default ranges is 0 to 1452 bytes.
tunnel-limit On the GUI: General Settings > Tunnel limit. See GTP tunnel limiting.
tunnel-timeout On the GUI: General Settings > Tunnel timeout. Enter the maximum number of seconds that a GTP tunnel is allowed to remain active. After the timeout, FortiOS Carrier deletes GTP tunnels that have stopped processing data. A GTP tunnel may hang for various reasons. For example, during the GTP tunnel tear-down stage, the delete pdap context response message may get lost. By setting a timeout value, FortiOS Carrier will remove hanging tunnels. The default is 86400 seconds, or 24 hours.
control-plane-message-rate-limit On the GUI: General Settings > Control plane message rate limit. Enter the number of packets per second to limit the traffic rate to protect the GSNs from possible Denial of Service (DoS) attacks. The default limit of 0 does not limit the message rate. GTP DoS attacks can include: Border gateway bandwidth saturation: A malicious operator can connect to your IPX/GRX and generate high traffic towards your Border Gateway to consume all the bandwidth. GTP flood: A GSN can be flooded by illegitimate traffic
handover-group On the GUI: General Settings > Handover group. Select the firewall address that contains the list of IP addresses allowed to take over a GTP session when the mobile device moves locations. Handover is a fundamental feature of GPRS/UMTS, which enables subscribers to seamlessly move from one area of coverage to another with no interruption of active sessions. Session hijacking can come from the SGSN or the GGSN, where a fraudulent GSN can intercept another GSN and redirect traffic to it. This can be exploited to hijack GTP tunnels or cause a denial of service. When the handover group is defined it acts like an allow list with an implicit default deny at the end — the GTP address must be in the group or the GTP message will be blocked. This stops handover requests from untrusted GSNs.
authorized-sgsns On the GUI: General Settings > Authorized SGSNs. Select a firewall address that only allows authorized SGSNs and SGWs that match the firewall address to send packets through FortiOS Carrier and to block unauthorized SGSNs and SGWs. You can use authorized SGSNs to allow packets from SGSNs or SGWs that have a roaming agreement with your organization.
invalid-sgsns-to-log Select a firewall address to match invalid SGSNs and record an invalid SGSN log message when a matching invalid SGSN is found.
authorized-ggsns On the GUI: General Settings > Authorized GGSNs. Select a firewall address that only allows authorized GGSNs or PGWs to send packets through the unit and to block unauthorized GGSNs. You can use authorized GGSNs or PGWs to allow packets from GGSNs or PGWs that have a roaming agreement with your organization.
remove-if-echo-expires Enable to remove sessions if the echo response expires. Disabled by default.
remove-if-recovery-differ Enable to remove a session if the recovery IE is different. Disabled by default.
send-delete-when-timeout Enable to send a DELETE request to path endpoints when a GTPv0/v1 tunnel times out. Disabled by default.
send-delete-when-timeout-v2 Enable to send a DELETE request to path endpoints when a GTPv2 tunnel times out. Disabled by default.
unknown-version-action Allow or deny sessions with unknown GTP versions. Unknown GTP versions are allowed by default.
echo-request-interval Set the amount of time to wait for an echo request. The default is 0, which means no limit on the amount of time to wait for an echo request.
half-open-timeout Set the half-open timeout in seconds for GTP sessions. The range is 1 to 300 and the default is 300. This option allows you to use the GTP profile to customize the half-open timer for GTP sessions.
half-close-timeout Set the half-close timeout in seconds for GTP sessions. The range is 1 to 30 and the default is 10. This option allows you to use the GTP profile to customize the half-close timer for GTP sessions.

monitor-mode

Set the GTP monitor mode for all GTP versions. You can enable or disable global monitoring mode or select vdom (the default) to select monitoring mode per VDOM.

When enabled, if a GTP packet is to be dropped due to a GTP deny case such as:

  • GTP_DENY
  • GTP_RATE_LIMIT
  • GTP_STATE_INVALID
  • GTP_TUNNEL_LIMIT

instead of being dropped, it will be forwarded and logged with the original deny log message and a -monitor suffix (for example, state-invalid-monitor).