FortiOS Carrier PFCP protection
The Packet Forwarding Control Protocol (PFCP) is a new addition to 3GPP that provides 4G Control plane and User Plane Separation (CUPS) and 5G signaling evolution. When PFCP is used as the control plane, the user plane is GTPv1-U. PFCP takes many of the roles that are provided by GTP-C in 3G/4G networks today and provides session awareness and tracking of GTPv1-U user plane traffic while also providing control plane initiation.
The PFCP protocol is defined in 3GPP specification # 29.244.
PFCP runs over UDP for transport, similar to GTP, and uses port 8805. FortiOS Carrier PFCP protection includes the PFCP session helper and provides inspection and security for the Sxa, Sxb, Sxc, 4G CUPS interfaces and 5G N4 interface. For PFCPprotection to work, the PFCP session helper must be enabled, see PFCP session helper.
PFCP is also critical to support for 5G native security allowing FortiOS to be aware of control plane session information for valid and granular enforcement of GTPv1-U user plane traffic.
FortiOS Carrier supports PFCP protection for 4G and 5G networks by allowing you to create PFCP profiles. These profiles allow you to apply multiple types of filtering and content checking to PFCP traffic passing through FortiOS Carrier.
PFCP profiles can also include PFCP message filters that allow you to apply actions to different PFCP message types. You can create multiple PFCP message filters and apply them to different PFCP profiles.
Once you have created PFCP profiles and optionally added PFCP message filters to them, you can create firewall policies that accept the PFCP traffic that you want to apply the PFCP profile to.
To create PFCP message filters from the CLI, use the command config pfcp message-filter
. See Configuring PFCP message filters.
To create PFCP profiles from the CLI, use the command config firewall pfcp
. See Configuring PFCP profiles.
Use the following command to add a PFCP profile to a firewall policy:
config firewall policy
edit <ID>
set pfcp-profile <pfcp-profile-name>
end
PFCP log messages appear as subtypes of GTP log messages. PFCP log message samples:
1: date=2021-05-12 time=19:11:44 eventtime=1620871904807305082 tz="-0700" logid="1401041232" type="gtp" subtype="pfcp-all" level="information" vd="vdom1" profile="pfcp-prf" status="prohibited" version=1 msg-type=2 from=10.1.1.2 to=10.2.2.2 deny_cause="invalid-msg-length" ietype=0 dtlexp="none" srcport=8805 dstport=8805 seqnum=2 imsi="unknown" imei-sv="unknown" msisdn="unknown" apn="unknown" nai="unknown" hseid="0000000000000000"
22: date=2021-05-12 time=18:43:45 eventtime=1620870225579005906 tz="-0700" logid="1401041231" type="gtp" subtype="pfcp-all" level="information" vd="vdom1" profile="pfcp-prf" status="forwarded" version=1 msg-type=50 from=10.1.1.2 to=10.2.2.2 srcport=8805 dstport=8805 seqnum=2 imsi="310310000000002" imei-sv="11111111.111113.4" msisdn="3343445565" apn="unknown" nai="user1@fortinet.com" hseid="0000000000000000" cfseid="0000000000002710" cfseidaddr=10.1.1.2