Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiOS Carrier

    7.2.4
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.6
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.9
    5.6.0

    Adding GTPv2 policy filters to a GTP profile

    Adding GTPv2 policy filters to a GTP profile

    Use the following command to add a GTPv2 policy filter to a GTP profile:

    config firewall gtp

    edit <name>

    set policy-filter enable

    set default-policy-action {allow | deny}

    config policy-v2

    edit <id>

    set apnmember <apn-name>

    set messages {create-ses-req create-sess-res modify-bearer-req modify-bearer-res}

    set apn-sel-mode {ms net vrf}

    set max-apn-restriction {all public-1 public-2 private-1 private-2}

    set imsi-prefix <prefix>

    set msisdn-prefix <prefix>

    set rat-type {any utran geran wlan gan hspa eutran virtual nbiot item nr}

    set mei <mei-pattern>

    set action {allow | deny}

    set uli <cgi-uli-pattern> <sal-uli-pattern> <rai-uli-pattern> <rai-uli-pattern> <ecgi-uli-pattern> <lai-uli-pattern>

    end

    You must enable policy-filter to enable GTPv2 policy filtering.

    Set default-policy-action to allow to allow traffic, then use config policy-v2 to create policy filters to filter the allowed traffic. Set default-policy-action to deny to block all traffic and then use config policy-v2 to create policy filters that match the traffic to be allowed.

    Note

    The default-policy-action setting applies to both GTPv0/v1 and GTPv2 policy filters.

    If you set default-policy-action to deny and don't add a GTPv0/v1 policy filter to your GTP profile, the GTP profile will block all GTPv0/v1 traffic accepted by the firewall policy that the GTP profile is added to.

    You can include the * wildcard character when adding MEI and ULI patterns. See the individual descriptions below for details.

    apnmember <apn-name> add an APN or APN group to the policy filter.

    messages {create-ses-req create-sess-res modify-bearer-req modify-bearer-res} select the content messages that the filter will match. Select one or more of the available options. Different policy filter options are available depending on the messages setting.

    • create-sess-req create session request (the default). If you just select this message, all policy filter options are available.
    • create-sess-res create session response. Only the max-apn-restriction and action policy filter options are available.
    • modify-bearer-req modify bearer request. Only the rat-type, action, and uli policy filter options are available.
    • modify-bearer-res modify bearer response. Only the max-apn-restriction and action policy filter options are available.

    apn-sel-mode {ms net vrf} by default, all three modes are selected and this cannot be changed.

    • ms MS-provided APN, subscription not verified, indicates that the mobile station (MS) provided the APN and that the HSS did not verify the user's subscription to the network.
    • net Network-provided APN, subscription not verified, indicates that the network provided a default APN because the MS did not specify one, and that the HSS did not verify the user's subscription to the network.
    • sub MS or Network-provided APN, subscription verified, indicates that the MS or the network provided the APN and that the HSS verified the user's subscription to the network.

    max-apn-restriction {all public-1 public-2 private-1 private-2} select one or more of the following APN restrictions. For information about APN restrictions, see the GTPv2 spec 3GPP TS 29.274 V15.9.0, subsection 8.57 APN Restriction.

    • all (the default) match all APNs with no restrictions.
    • public-1 match the Public-1 APN used on your network, for example MMS.
    • public-2 match your Public-2 APN used on your network, for example the internet.
    • private-1 match your Private-1 APN used on your network, for example Corporate users who use MMS.
    • private-2 match your Private-2 APN used on your network, for example Corporate users who do not use MMS.

    imsi-prefix <prefix> add an IMSI prefix.

    msisdn-prefix <prefix> add an MSISDN prefix.

    rat-type {any utran geran wlan gan hspa eutran virtual nbiot item nr} set the RAT Type as any combination of the following:

    • any any RAT (the default)

    • utran UTRAN

    • geran GERAN

    • wlan WLAN

    • gan GAN

    • hspa HSPA

    • eutran EUTRAN

    • virtual Virtual

    • nbiot NB-IoT

    • item LTE-M

    • nr NR

    mei <mei-pattern> add a single MEI or an MEI pattern that includes the * wildcard character to match multiple MEIs. The MEI uniquely identifies mobile hardware, and can be used to block stolen equipment.

    A single MEI must be in three parts separated by a decimal point in the format: <8-digits>.<6-digits>.<1-or-2-digits>. For example: 35349006.987300.1.

    In each part of the MEI pattern the * cannot be followed by a number. The following are some examples of valid MEI patterns:

    35349006.*.*

    *.987*.1

    *.*.*

    action {allow | deny} allow (the default) or deny traffic matching this policy filter.

    uli <cgi-uli-pattern> <sal-uli-pattern> <rai-uli-pattern> <rai-uli-pattern> <ecgi-uli-pattern> <lai-uli-pattern> add up to six different types of GTPv2 universal location information (ULI) patterns, separated by a space.

    All of the ULI patterns have the format <MCC>.<MNC>.<ID>.<[ID2]>. MCC and MNC are decimal numbers of two or three digits (d). ID and ID2 are hexadecimal numbers of four digits (x).

    • <cgi-uli-pattern> a CGI ULI with the format <ddd>.<dd[d]>.<xxxx>.<xxxx>. Example CGI ULI: 123.12.0a0a.0F0F.

    • <sai-uli-pattern> is an SAI ULI with the format <ddd>.<dd[d]>.<xxxx>.<xxxx>. Example SAI ULI: 523.235.0b0a.0E0F.

    • <rai-uli-pattern> is a Routing Area Identity (RAI) ULI with the format <ddd>.<dd[d]>.<xxxx>.<xx>. Example RAI ULI: 456.45.0c0c.0c.

    • <tai-uli-pattern> is a Tracking Area Identity (TAI) ULI with the format <ddd>.<dd[d]>.<xxxx>. Example TAI ULI: 505.02.d008.

    • <ecgi-uli-pattern> is an E-UTRAN Cell Global Identifier (ECGI) ULI with the format <ddd><dd[d]>.<xxxxxxx>. Example ECGI ULI: 505.02.d008123.

    • <lai-uli-pattern> is a Location Area Identifier (LAI) ULI with the format <ddd>.<dd[d]>.<xxxx>. Example LAI ULI: 345.08.d009.

    Example syntax that includes all of the ULIs:

    set uli 123.12.0a0a.0F0F 456.45.0b0b.0E0E 456.45.0c0c.0c 505.02.d008 505.02.d008123 505.02.d009

    If you do not need to include all six ULIs, you can enter a subset and use 0 as a placeholder for missing ULIs. You do not need to add trailing zeros. For example, if you only need to include a CGI and a SAI ULI, you can just enter the two ULIs as follows.

    set uli 123.12.0a0a.0F0F 123.12.0a0a.0F0F

    If you need to include a RAI and ECGI ULI, use 0s for the missing ULIs as follows:

    set uli 0 0 456.45.0c0c.0c 0 505.02.d008123

    You can also use the * wildcard to create ULI patterns that match multiple ULIs. ULI patterns must include all of the required decimal points. In each part of the pattern the * cannot be followed by a number.

    Example CGI ULI pattern: 123.*.0a0a.0F0F.

    Example LAI ULI pattern: 345.08.d00*.

    Previous
    Next

    Adding GTPv2 policy filters to a GTP profile

    Adding GTPv2 policy filters to a GTP profile

    Use the following command to add a GTPv2 policy filter to a GTP profile:

    config firewall gtp

    edit <name>

    set policy-filter enable

    set default-policy-action {allow | deny}

    config policy-v2

    edit <id>

    set apnmember <apn-name>

    set messages {create-ses-req create-sess-res modify-bearer-req modify-bearer-res}

    set apn-sel-mode {ms net vrf}

    set max-apn-restriction {all public-1 public-2 private-1 private-2}

    set imsi-prefix <prefix>

    set msisdn-prefix <prefix>

    set rat-type {any utran geran wlan gan hspa eutran virtual nbiot item nr}

    set mei <mei-pattern>

    set action {allow | deny}

    set uli <cgi-uli-pattern> <sal-uli-pattern> <rai-uli-pattern> <rai-uli-pattern> <ecgi-uli-pattern> <lai-uli-pattern>

    end

    You must enable policy-filter to enable GTPv2 policy filtering.

    Set default-policy-action to allow to allow traffic, then use config policy-v2 to create policy filters to filter the allowed traffic. Set default-policy-action to deny to block all traffic and then use config policy-v2 to create policy filters that match the traffic to be allowed.

    Note

    The default-policy-action setting applies to both GTPv0/v1 and GTPv2 policy filters.

    If you set default-policy-action to deny and don't add a GTPv0/v1 policy filter to your GTP profile, the GTP profile will block all GTPv0/v1 traffic accepted by the firewall policy that the GTP profile is added to.

    You can include the * wildcard character when adding MEI and ULI patterns. See the individual descriptions below for details.

    apnmember <apn-name> add an APN or APN group to the policy filter.

    messages {create-ses-req create-sess-res modify-bearer-req modify-bearer-res} select the content messages that the filter will match. Select one or more of the available options. Different policy filter options are available depending on the messages setting.

    • create-sess-req create session request (the default). If you just select this message, all policy filter options are available.
    • create-sess-res create session response. Only the max-apn-restriction and action policy filter options are available.
    • modify-bearer-req modify bearer request. Only the rat-type, action, and uli policy filter options are available.
    • modify-bearer-res modify bearer response. Only the max-apn-restriction and action policy filter options are available.

    apn-sel-mode {ms net vrf} by default, all three modes are selected and this cannot be changed.

    • ms MS-provided APN, subscription not verified, indicates that the mobile station (MS) provided the APN and that the HSS did not verify the user's subscription to the network.
    • net Network-provided APN, subscription not verified, indicates that the network provided a default APN because the MS did not specify one, and that the HSS did not verify the user's subscription to the network.
    • sub MS or Network-provided APN, subscription verified, indicates that the MS or the network provided the APN and that the HSS verified the user's subscription to the network.

    max-apn-restriction {all public-1 public-2 private-1 private-2} select one or more of the following APN restrictions. For information about APN restrictions, see the GTPv2 spec 3GPP TS 29.274 V15.9.0, subsection 8.57 APN Restriction.

    • all (the default) match all APNs with no restrictions.
    • public-1 match the Public-1 APN used on your network, for example MMS.
    • public-2 match your Public-2 APN used on your network, for example the internet.
    • private-1 match your Private-1 APN used on your network, for example Corporate users who use MMS.
    • private-2 match your Private-2 APN used on your network, for example Corporate users who do not use MMS.

    imsi-prefix <prefix> add an IMSI prefix.

    msisdn-prefix <prefix> add an MSISDN prefix.

    rat-type {any utran geran wlan gan hspa eutran virtual nbiot item nr} set the RAT Type as any combination of the following:

    • any any RAT (the default)

    • utran UTRAN

    • geran GERAN

    • wlan WLAN

    • gan GAN

    • hspa HSPA

    • eutran EUTRAN

    • virtual Virtual

    • nbiot NB-IoT

    • item LTE-M

    • nr NR

    mei <mei-pattern> add a single MEI or an MEI pattern that includes the * wildcard character to match multiple MEIs. The MEI uniquely identifies mobile hardware, and can be used to block stolen equipment.

    A single MEI must be in three parts separated by a decimal point in the format: <8-digits>.<6-digits>.<1-or-2-digits>. For example: 35349006.987300.1.

    In each part of the MEI pattern the * cannot be followed by a number. The following are some examples of valid MEI patterns:

    35349006.*.*

    *.987*.1

    *.*.*

    action {allow | deny} allow (the default) or deny traffic matching this policy filter.

    uli <cgi-uli-pattern> <sal-uli-pattern> <rai-uli-pattern> <rai-uli-pattern> <ecgi-uli-pattern> <lai-uli-pattern> add up to six different types of GTPv2 universal location information (ULI) patterns, separated by a space.

    All of the ULI patterns have the format <MCC>.<MNC>.<ID>.<[ID2]>. MCC and MNC are decimal numbers of two or three digits (d). ID and ID2 are hexadecimal numbers of four digits (x).

    • <cgi-uli-pattern> a CGI ULI with the format <ddd>.<dd[d]>.<xxxx>.<xxxx>. Example CGI ULI: 123.12.0a0a.0F0F.

    • <sai-uli-pattern> is an SAI ULI with the format <ddd>.<dd[d]>.<xxxx>.<xxxx>. Example SAI ULI: 523.235.0b0a.0E0F.

    • <rai-uli-pattern> is a Routing Area Identity (RAI) ULI with the format <ddd>.<dd[d]>.<xxxx>.<xx>. Example RAI ULI: 456.45.0c0c.0c.

    • <tai-uli-pattern> is a Tracking Area Identity (TAI) ULI with the format <ddd>.<dd[d]>.<xxxx>. Example TAI ULI: 505.02.d008.

    • <ecgi-uli-pattern> is an E-UTRAN Cell Global Identifier (ECGI) ULI with the format <ddd><dd[d]>.<xxxxxxx>. Example ECGI ULI: 505.02.d008123.

    • <lai-uli-pattern> is a Location Area Identifier (LAI) ULI with the format <ddd>.<dd[d]>.<xxxx>. Example LAI ULI: 345.08.d009.

    Example syntax that includes all of the ULIs:

    set uli 123.12.0a0a.0F0F 456.45.0b0b.0E0E 456.45.0c0c.0c 505.02.d008 505.02.d008123 505.02.d009

    If you do not need to include all six ULIs, you can enter a subset and use 0 as a placeholder for missing ULIs. You do not need to add trailing zeros. For example, if you only need to include a CGI and a SAI ULI, you can just enter the two ULIs as follows.

    set uli 123.12.0a0a.0F0F 123.12.0a0a.0F0F

    If you need to include a RAI and ECGI ULI, use 0s for the missing ULIs as follows:

    set uli 0 0 456.45.0c0c.0c 0 505.02.d008123

    You can also use the * wildcard to create ULI patterns that match multiple ULIs. ULI patterns must include all of the required decimal points. In each part of the pattern the * cannot be followed by a number.

    Example CGI ULI pattern: 123.*.0a0a.0F0F.

    Example LAI ULI pattern: 345.08.d00*.

    Previous
    Next