Fortinet black logo

FortiOS Carrier

Configuring PFCP profiles

Configuring PFCP profiles

Use the following command to configure a PFCP profile:

config firewall pfcp

edit "pfcp-prf"

set min-message-length <min-length>

set max-message-length <max-length>

set monitor-mode {disable | enable | vdom}

set message-filter <filter-name>

set pfcp-timeout <timeout>

set unknown-version {allow | deny}

set invalid-reserved-field {allow | deny}

set forwarded-log {disable | enable}

set denied-log {disable | enable}

set traffic-count-log {disable | enable}

set log-freq <frequency>

end

Option

Description

min-message-length
max-message-length
Define the acceptable message size range in bytes. Normally this is controlled by the protocol and will vary for different message types. If a packet is smaller or larger than this range, it is discarded as it is likely malformed and a potential security risk. The default ranges is 0 to 1452 bytes. For each option, the default is 0 which means no limit.
monitor-mode {disable | enable | vdom}

Enable or disable PFCP monitor mode or set the PFCP profile to VDOM monitor mode (the default).

When enabled, if a PFCP packet is to be dropped due to a PFCP deny case, instead of being dropped, it will be forwarded and logged with the original deny log message and a -monitor suffix (for example, state-invalid-monitor).

If you select vdom, the monitor mode for this profile is set for all PFCP profiles in the current VDOM by the following option:

config system settings

set pfcp-monitor-mode {disable | enable}

end

pfcp-monitor-mode is disabled by default.

message-filter

Select a PFCP message filter. Use the config pfcp message-filter command to create message filters. See Configuring PFCP message filters.

pfcp-timeout

The PFCP timeout (in seconds). The range is 0 to 4294967295 seconds. The default timeout is 86400 seconds. This option allows you to use the PFCP profile to customize the timer for PFCP sessions.

unknown-version

Allow or deny unknown version PFCP packets. Packets with unknown versions are allowed by default.

invalid-reserved-field

Allow or deny PFCP packets with invalid reserved packet header fields. Packets with invalid reserved packet header fields are denied by default.

forwarded-log

Enable or disable logging forwarded PFCP packets. Enabled by default.

denied-log

Enable or disable logging denied PFCP packets. Enabled by default.

traffic-count-log

Enable or disable logging session traffic counter. Enabled by default.

log-freq control

How often log messages are created for PFCP packets. The range is 0 to 4294967295. The default is 0 which means no frequency control.

Configuring PFCP profiles

Use the following command to configure a PFCP profile:

config firewall pfcp

edit "pfcp-prf"

set min-message-length <min-length>

set max-message-length <max-length>

set monitor-mode {disable | enable | vdom}

set message-filter <filter-name>

set pfcp-timeout <timeout>

set unknown-version {allow | deny}

set invalid-reserved-field {allow | deny}

set forwarded-log {disable | enable}

set denied-log {disable | enable}

set traffic-count-log {disable | enable}

set log-freq <frequency>

end

Option

Description

min-message-length
max-message-length
Define the acceptable message size range in bytes. Normally this is controlled by the protocol and will vary for different message types. If a packet is smaller or larger than this range, it is discarded as it is likely malformed and a potential security risk. The default ranges is 0 to 1452 bytes. For each option, the default is 0 which means no limit.
monitor-mode {disable | enable | vdom}

Enable or disable PFCP monitor mode or set the PFCP profile to VDOM monitor mode (the default).

When enabled, if a PFCP packet is to be dropped due to a PFCP deny case, instead of being dropped, it will be forwarded and logged with the original deny log message and a -monitor suffix (for example, state-invalid-monitor).

If you select vdom, the monitor mode for this profile is set for all PFCP profiles in the current VDOM by the following option:

config system settings

set pfcp-monitor-mode {disable | enable}

end

pfcp-monitor-mode is disabled by default.

message-filter

Select a PFCP message filter. Use the config pfcp message-filter command to create message filters. See Configuring PFCP message filters.

pfcp-timeout

The PFCP timeout (in seconds). The range is 0 to 4294967295 seconds. The default timeout is 86400 seconds. This option allows you to use the PFCP profile to customize the timer for PFCP sessions.

unknown-version

Allow or deny unknown version PFCP packets. Packets with unknown versions are allowed by default.

invalid-reserved-field

Allow or deny PFCP packets with invalid reserved packet header fields. Packets with invalid reserved packet header fields are denied by default.

forwarded-log

Enable or disable logging forwarded PFCP packets. Enabled by default.

denied-log

Enable or disable logging denied PFCP packets. Enabled by default.

traffic-count-log

Enable or disable logging session traffic counter. Enabled by default.

log-freq control

How often log messages are created for PFCP packets. The range is 0 to 4294967295. The default is 0 which means no frequency control.