Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

FortiOS Carrier

GTPv0/v1 message filtering

FortiOS Carrier supports message filtering for all GTPv0/v1 message types as defined by 3GPP TS 29.060. Using GTPv0/v1 message filtering you can configure a GTP profile to allow or deny different types of GTPv0/v1 messages. All message types are allowed by default and you can create message filters to select message types to deny.

You can also use unknown message filtering to filter GTPv0v1 message types that FortiOS Carrier does not have message filtering options for. Unknown messages are usually new messages that are in use on your network but have only recently been added to GTPv0v1 by the 3GPP. These messages may be considered by the 3GPP as reserved or for future use.

You can set unknown-message to deny to block all unknown GTPv0/v1 message types. If you set unknown-message to deny, you can allow selected unknown message types by adding the IDs of these message types to the unknown-message-white-list option.

From the CLI, use the following command to add GTPv0/v1 message filtering to a GTP profile:

config firewall gtp

edit <name>

set message-filter-v0v1 <gtpv0v1-message-filter-name>

end

Use the following command to create a GTPv0/v1 message filter:

config gtp message-filter-v0v1

edit <name>

set unknown-message {allow | deny}

set unknown-message-white-list {1 2 ... 255}

set echo {allow | deny}

set version-not-support {allow | deny}

set node-alive {allow | deny}

set redirection {allow | deny}

set create-pdp {allow | deny}

set update-pdp {allow | deny}

set delete-pdp {allow | deny}

set v0-create-aa-pdp--v1-init-pdp-ctx {allow | deny}

set delete-aa-pdp {allow | deny}

set error-indication {allow | deny}

set pdu-notification {allow | deny}

set support-extension {allow | deny}

set send-route {allow | deny}

set failure-report {allow | deny}

set note-ms-present {allow | deny}

set identification {allow | deny}

set sgsn-context {allow | deny}

set fwd-relocation {allow | deny}

set relocation-cancel {allow | deny}

set fwd-srns-context {allow | deny}

set ue-registration-query {allow | deny}

set ran-info {allow | deny}

set mbms-notification {allow | deny}

set create-mbms {allow | deny}

set update-mbms {allow | deny}

set delete-mbms {allow | deny}

set mbms-registration {allow | deny}

set mbms-de-registration {allow | deny}

set mbms-session-start {allow | deny}

set mbms-session-stop {allow | deny}

set mbms-session-update {allow | deny}

set ms-info-change-notif {allow | deny}

set data-record {allow | deny}

set end-marker {allow | deny}

set gtp-pdu {allow | deny}

end

From the GUI, create or edit a GTP profile, select Message Filtering, and select a message filter to add a GTPv0/v1 message filter to the profile.

To create a GTPv0/v1 message filter from the GUI, go to Security Profiles > GTP Message Filters and select Create New > Message filter for GTPv0/v1.

The following table lists FortiOS Carrier GTPv0v1 message filtering options and describes the GTPv0v1 message types and message IDs they apply to.

Message filtering option

GTPv0/v1 message types and values

echo Echo request (1). Echo response (2).
version-not-support Version not supported (3).
node-alive Node alive request (4). Node alive response (5).
redirection Redirection request (6). Redirection response (7).
create-pdp Create PDP context request (16). Create PDP context response (17).
update-pdp Update PDP context request (18). Update PDP context response (19).
delete-pdp Delete PDP context request (20). Delete PDP context response (21).
v0-create-aa-pdp--v1-init-pdp-ctx

GTPv0: Create AA PDP context request (22). Create AA PDP context response (23).

or

GTPv1: Initiate PDP context activation request (22). Initiate PDP context activation response (23).

delete-aa-pdp GTPv0: Delete AA PDP context request (24). Delete AA PDP context request response (25).
error-indication Error indication (26).
pdu-notification PDU notification request (27). PDU notification response (28). Reject PDU notification request (29). Reject PDU notification response (30).
support-extension GTPv1 Supported extension headers notify (31).
send-route Send routing information for GPRS request (32). Send routing information for GPRS response (33).
failure-report Failure report request (34). Failure report response (35).
note-ms-present Note MS GPRS present request (36). Note MS GPRS present response (37).
identification Identification request (48). Identification response (49).
sgsn-context SGSN context request (50). SGSN context response (51). SGSN context ack (52).
fwd-relocation GTPv1: Forward relocation request (53). Forward relocation response (54). Forward relocation complete (55). Forward relocation complete ack (59).
relocation-cancel GTPv1: Relocation cancel request (56). Relocation cancel response (57).
fwd-srns-context GTPv1: Forward SRNS context (58). Forward SRNS context ack 60).

ue-registration-query

UE Registration Query request (61). UE Registration Query response (62).

ran-info GTPv1: RAN information relay (70).
mbms-notification GTPv1: MBMS notification request (96). MBMS notification response (97). MBMS notification reject request (98). MBMS notification reject response (99).
create-mbms GTPv1: Create MBMS context request (100) Create MBMS context response (101).
update-mbms GTPv1: Update MBMS context request (102) Update MBMS context response (103).
delete-mbms GTPv1: Delete MBMS context request (104). Delete MBMS context response (105).
mbms-registration GTPv1: MBMS registration (request 112, response 113).
mbms-de-registration GTPv1: MBMS de-registration request (114) MBMS de-registration response (115).
mbms-session-start GTPv1: MBMS session start request (116). MBMS session start response (117).
mbms-session-stop GTPv1: MBMS session stop request (118). MBMS session stop response (119).
mbms-session-update GTPv1 MBMS session update request (120). MBMS session update response (121).
ms-info-change-notif GTPv1: MS info change notification request (128). MS info change notification response (129).
data-record Data record Transfer request (240). Data record Transfer Response (241).
end-marker GTPv1: End Marker (254).
gtp-pdu G-PDU (255).

GTPv0/v1 message filtering

FortiOS Carrier supports message filtering for all GTPv0/v1 message types as defined by 3GPP TS 29.060. Using GTPv0/v1 message filtering you can configure a GTP profile to allow or deny different types of GTPv0/v1 messages. All message types are allowed by default and you can create message filters to select message types to deny.

You can also use unknown message filtering to filter GTPv0v1 message types that FortiOS Carrier does not have message filtering options for. Unknown messages are usually new messages that are in use on your network but have only recently been added to GTPv0v1 by the 3GPP. These messages may be considered by the 3GPP as reserved or for future use.

You can set unknown-message to deny to block all unknown GTPv0/v1 message types. If you set unknown-message to deny, you can allow selected unknown message types by adding the IDs of these message types to the unknown-message-white-list option.

From the CLI, use the following command to add GTPv0/v1 message filtering to a GTP profile:

config firewall gtp

edit <name>

set message-filter-v0v1 <gtpv0v1-message-filter-name>

end

Use the following command to create a GTPv0/v1 message filter:

config gtp message-filter-v0v1

edit <name>

set unknown-message {allow | deny}

set unknown-message-white-list {1 2 ... 255}

set echo {allow | deny}

set version-not-support {allow | deny}

set node-alive {allow | deny}

set redirection {allow | deny}

set create-pdp {allow | deny}

set update-pdp {allow | deny}

set delete-pdp {allow | deny}

set v0-create-aa-pdp--v1-init-pdp-ctx {allow | deny}

set delete-aa-pdp {allow | deny}

set error-indication {allow | deny}

set pdu-notification {allow | deny}

set support-extension {allow | deny}

set send-route {allow | deny}

set failure-report {allow | deny}

set note-ms-present {allow | deny}

set identification {allow | deny}

set sgsn-context {allow | deny}

set fwd-relocation {allow | deny}

set relocation-cancel {allow | deny}

set fwd-srns-context {allow | deny}

set ue-registration-query {allow | deny}

set ran-info {allow | deny}

set mbms-notification {allow | deny}

set create-mbms {allow | deny}

set update-mbms {allow | deny}

set delete-mbms {allow | deny}

set mbms-registration {allow | deny}

set mbms-de-registration {allow | deny}

set mbms-session-start {allow | deny}

set mbms-session-stop {allow | deny}

set mbms-session-update {allow | deny}

set ms-info-change-notif {allow | deny}

set data-record {allow | deny}

set end-marker {allow | deny}

set gtp-pdu {allow | deny}

end

From the GUI, create or edit a GTP profile, select Message Filtering, and select a message filter to add a GTPv0/v1 message filter to the profile.

To create a GTPv0/v1 message filter from the GUI, go to Security Profiles > GTP Message Filters and select Create New > Message filter for GTPv0/v1.

The following table lists FortiOS Carrier GTPv0v1 message filtering options and describes the GTPv0v1 message types and message IDs they apply to.

Message filtering option

GTPv0/v1 message types and values

echo Echo request (1). Echo response (2).
version-not-support Version not supported (3).
node-alive Node alive request (4). Node alive response (5).
redirection Redirection request (6). Redirection response (7).
create-pdp Create PDP context request (16). Create PDP context response (17).
update-pdp Update PDP context request (18). Update PDP context response (19).
delete-pdp Delete PDP context request (20). Delete PDP context response (21).
v0-create-aa-pdp--v1-init-pdp-ctx

GTPv0: Create AA PDP context request (22). Create AA PDP context response (23).

or

GTPv1: Initiate PDP context activation request (22). Initiate PDP context activation response (23).

delete-aa-pdp GTPv0: Delete AA PDP context request (24). Delete AA PDP context request response (25).
error-indication Error indication (26).
pdu-notification PDU notification request (27). PDU notification response (28). Reject PDU notification request (29). Reject PDU notification response (30).
support-extension GTPv1 Supported extension headers notify (31).
send-route Send routing information for GPRS request (32). Send routing information for GPRS response (33).
failure-report Failure report request (34). Failure report response (35).
note-ms-present Note MS GPRS present request (36). Note MS GPRS present response (37).
identification Identification request (48). Identification response (49).
sgsn-context SGSN context request (50). SGSN context response (51). SGSN context ack (52).
fwd-relocation GTPv1: Forward relocation request (53). Forward relocation response (54). Forward relocation complete (55). Forward relocation complete ack (59).
relocation-cancel GTPv1: Relocation cancel request (56). Relocation cancel response (57).
fwd-srns-context GTPv1: Forward SRNS context (58). Forward SRNS context ack 60).

ue-registration-query

UE Registration Query request (61). UE Registration Query response (62).

ran-info GTPv1: RAN information relay (70).
mbms-notification GTPv1: MBMS notification request (96). MBMS notification response (97). MBMS notification reject request (98). MBMS notification reject response (99).
create-mbms GTPv1: Create MBMS context request (100) Create MBMS context response (101).
update-mbms GTPv1: Update MBMS context request (102) Update MBMS context response (103).
delete-mbms GTPv1: Delete MBMS context request (104). Delete MBMS context response (105).
mbms-registration GTPv1: MBMS registration (request 112, response 113).
mbms-de-registration GTPv1: MBMS de-registration request (114) MBMS de-registration response (115).
mbms-session-start GTPv1: MBMS session start request (116). MBMS session start response (117).
mbms-session-stop GTPv1: MBMS session stop request (118). MBMS session stop response (119).
mbms-session-update GTPv1 MBMS session update request (120). MBMS session update response (121).
ms-info-change-notif GTPv1: MS info change notification request (128). MS info change notification response (129).
data-record Data record Transfer request (240). Data record Transfer Response (241).
end-marker GTPv1: End Marker (254).
gtp-pdu G-PDU (255).