Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiOS Carrier

    7.2.6
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.6
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.9
    5.6.0

    GTP protocol anomaly detection

    GTP protocol anomaly detection

    The FortiOS Carrier firewall detects and optionally drops protocol anomalies according to GTP standards and specific tunnel states. Protocol anomaly attacks involve malformed or corrupt packets that typically fall outside of protocol specifications. These packets are not seen on a production network. Protocol anomaly attacks exploit poor programming practices when decoding packets, and are typically used to maliciously impair system performance or elevate privileges.

    FortiOS Carrier also detects IP address spoofing inside GTP data channel.

    By default, any GTP profile blocks traffic when the following GTP anomalies are detected:

    • Invalid Reserved Field
    • Reserved IE
    • Miss Mandatory IE
    • Out of State Message
    • Out of State IE
    • Spoofed Source Address

    GTP protocol anomaly attacks involve malformed or corrupt packets that typically fall outside of the protocol specifications. If one of these anomalies is detected, the affected packet is blocked.

    In a GTP profile, you can use the following options to deny or allow these anomalies. All are set to deny by default:

    config firewall gtp

    edit <name>

    set invalid-reserved-field {allow | deny}

    set reserved-ie {allow | deny}

    set miss-must-ie {allow | deny}

    set out-of-state-message {allow | deny}

    set out-of-state-ie {allow | deny}

    set spoof-src-addr {allow | deny}

    end

    Anomaly

    Description
    invalid-reserved-field On the GUI: Invalid Reserved Field. GTP version 0 (GSM 09.60) headers specify a number of fields that are marked as Spare and contain all ones (1). GTP packets that have different values in these fields are flagged as anomalies. GTP version 1 (GSM 29.060) makes better use of the header space and only has one, 1-bit, reserved field. In the first octet of the GTP version1 header, bit 4 is set to zero.
    reserved-ie On the GUI: Reserved IE. Both versions of GTP allow up to 255 different Information Elements (IE). However, a number of Information Elements values are undefined or reserved. Packets with reserved or undefined values will be filtered.
    miss-mandatory-ie On the GUI: Miss Mandatory IE. GTP packets with missing mandatory Information Elements (IE) will not be passed to the GGSN/PGW.
    out-of-state-message On the GUI: Out of State Message. The GTP protocol requires a certain level of state to be kept by both the GGSN and SGSN or the SGW and PGW. Some message types can only be sent when in a specific GTP state. Packets that do not make sense in the current state are filtered or rejected

    Both versions of GTP allow up to 255 different message types. However, a number of message type values are undefined or reserved.

    Best practices dictate that packets with reserved or undefined values will be filtered.
    out-of-state-ie On the GUI: Out of State IE. GTP Packets with out of order Information Elements are discarded.
    spoofed-source-addr On the GUI: Spoofed Source Address. The End User Address Information Element in the PDP Context Create & Response messages or in SGW and PGW sessions contains the address that the mobile station (MS) will use on the remote network. If the MS does not have an address, the SGSN will set the End User Address field to zero when sending the initial PDP Context Create or Create Session Request message. The PDP Context Response packet or create session response packet from the GGSN will then contain an address to be assigned to the MS. In environments where static addresses are allowed, the MS will relay its address to the SGSN, which will include the address in the PDP Context Create or Create Session Request Message. If this option is set to deny, as the MS address is negotiated, any packets originating from the MS that contain a different source address are detected and dropped.
    Previous
    Next

    GTP protocol anomaly detection

    GTP protocol anomaly detection

    The FortiOS Carrier firewall detects and optionally drops protocol anomalies according to GTP standards and specific tunnel states. Protocol anomaly attacks involve malformed or corrupt packets that typically fall outside of protocol specifications. These packets are not seen on a production network. Protocol anomaly attacks exploit poor programming practices when decoding packets, and are typically used to maliciously impair system performance or elevate privileges.

    FortiOS Carrier also detects IP address spoofing inside GTP data channel.

    By default, any GTP profile blocks traffic when the following GTP anomalies are detected:

    • Invalid Reserved Field
    • Reserved IE
    • Miss Mandatory IE
    • Out of State Message
    • Out of State IE
    • Spoofed Source Address

    GTP protocol anomaly attacks involve malformed or corrupt packets that typically fall outside of the protocol specifications. If one of these anomalies is detected, the affected packet is blocked.

    In a GTP profile, you can use the following options to deny or allow these anomalies. All are set to deny by default:

    config firewall gtp

    edit <name>

    set invalid-reserved-field {allow | deny}

    set reserved-ie {allow | deny}

    set miss-must-ie {allow | deny}

    set out-of-state-message {allow | deny}

    set out-of-state-ie {allow | deny}

    set spoof-src-addr {allow | deny}

    end

    Anomaly

    Description
    invalid-reserved-field On the GUI: Invalid Reserved Field. GTP version 0 (GSM 09.60) headers specify a number of fields that are marked as Spare and contain all ones (1). GTP packets that have different values in these fields are flagged as anomalies. GTP version 1 (GSM 29.060) makes better use of the header space and only has one, 1-bit, reserved field. In the first octet of the GTP version1 header, bit 4 is set to zero.
    reserved-ie On the GUI: Reserved IE. Both versions of GTP allow up to 255 different Information Elements (IE). However, a number of Information Elements values are undefined or reserved. Packets with reserved or undefined values will be filtered.
    miss-mandatory-ie On the GUI: Miss Mandatory IE. GTP packets with missing mandatory Information Elements (IE) will not be passed to the GGSN/PGW.
    out-of-state-message On the GUI: Out of State Message. The GTP protocol requires a certain level of state to be kept by both the GGSN and SGSN or the SGW and PGW. Some message types can only be sent when in a specific GTP state. Packets that do not make sense in the current state are filtered or rejected

    Both versions of GTP allow up to 255 different message types. However, a number of message type values are undefined or reserved.

    Best practices dictate that packets with reserved or undefined values will be filtered.
    out-of-state-ie On the GUI: Out of State IE. GTP Packets with out of order Information Elements are discarded.
    spoofed-source-addr On the GUI: Spoofed Source Address. The End User Address Information Element in the PDP Context Create & Response messages or in SGW and PGW sessions contains the address that the mobile station (MS) will use on the remote network. If the MS does not have an address, the SGSN will set the End User Address field to zero when sending the initial PDP Context Create or Create Session Request message. The PDP Context Response packet or create session response packet from the GGSN will then contain an address to be assigned to the MS. In environments where static addresses are allowed, the MS will relay its address to the SGSN, which will include the address in the PDP Context Create or Create Session Request Message. If this option is set to deny, as the MS address is negotiated, any packets originating from the MS that contain a different source address are detected and dropped.
    Previous
    Next