GTPv2 message filtering
FortiOS Carrier supports message filtering for all GTPv2 message types as specified by 3GPP TS 29.274. Using GTPv2 message filtering you can configure a GTP profile to allow or deny different types of GTPv2 messages. All message types are allowed by default and you can create message filters to select messages to deny.
You can also use unknown message filtering to filter GTPv2 message types that FortiOS Carrier does not have message filtering options for. Unknown messages are usually new messages that are in use on your network but have only recently been added to GTPv2 by the 3GPP. These messages may be considered by the 3GPP as reserved or for future use.
You can set unknown-message
to deny
to block all unknown GTPv2 message types. If you set unknown-message
to deny
, you can allow selected unknown message types by adding the IDs of these message types to the unknown-message-white-list
option.
For example, FortiOS Carrier does not have a message filter for message types 40 and 41: Remote UE Report Notification / Acknowledge. You can use the following configuration to create a GTPv2 message filter that denies unknown message types but allows message types 40 and 41:
config gtp message-filter-v2
edit <name>
set unknown-message deny
set unknown-message-white-list 40 41
end
From the CLI, use the following command to add GTPv2 message filtering to a GTP profile:
config firewall gtp
edit <name>
set message-filter-v2 <gtpv2-message-filter-name>
end
Use the following command to create a GTPv2 message filter:
config gtp message-filter-v2
edit <name>
set unknown-message {allow | deny}
set unknown-message-white-list {1 2 ... 255}
set echo {allow | deny}
set version-not-support {allow | deny}
set create-session {allow | deny}
set modify-bearer-req-resp {allow | deny}
set delete-session {allow | deny}
set change-notification {allow | deny}
set remote-ue-report-notif-ack {allow | deny}
set modify-bearer-cmd-fail {allow | deny}
set delete-bearer-cmd-fail {allow | deny}
set bearer-resource-cmd-fail {allow | deny}
set dlink-notif-failure {allow | deny}
set trace-session {allow | deny}
set stop-paging-indication {allow | deny}
set create-bearer {allow | deny}
set update-bearer {allow | deny}
set delete-bearer-req-resp {allow | deny}
set delete-pdn-connection-set {allow | deny}
set pgw-dlink-notif-ack {allow | deny}
set identification-req-resp {allow | deny}
set context-req-res-ack {allow | deny}
set forward-relocation-req-res {allow | deny}
set forward-relocation-cmp-notif-ack {allow | deny}
set forward-access-notif-ack {allow | deny}
set relocation-cancel-req-resp {allow | deny}
set configuration-transfer-tunnel {allow | deny}
set detach-notif-ack {allow | deny}
set cs-paging {allow | deny}
set ran-info-relay {allow | deny}
set alert-MME-notif-ack Alert {allow | deny}
set ue-activity-notif-ack {allow | deny}
set isr-status {allow | deny}
set ue-registration-query-req-resp {allow | deny}
set create-forwarding-tunnel-req-resp {allow | deny}
set suspend {allow | deny}
set resume {allow | deny}
set create-indirect-forwarding-tunnel-req-resp {allow | deny}
set delete-indirect-forwarding-tunnel-req-resp {allow | deny}
set release-access-bearer-req-resp {allow | deny}
set dlink-data-notif-ack {allow | deny}
set reserved-for-earlier-version {allow | deny}
set pgw-restart-notif-ack {allow | deny}
set update-pdn-connection-set {allow | deny}
set modify-access-req-resp {allow | deny}
set mbms-session-start-req-resp {allow | deny}
set mbms-session-update-req-resp {allow | deny}
set mbms-session-stop-req-resp {allow | deny}
end
From the GUI, create or edit a GTP profile, select Message Filtering, and select a message filter to add a GTPv2 message filter to the profile.
To create a GTPv2 message filter from the GUI, go to Security Profiles > GTP Message Filters and select Create New > Message filter for GTPv2.
The following table lists FortiOS Carrier GTPv2 message type filtering options and describes the GTPv2 message types and message IDs they apply to.
Message filtering option |
GTPv2 message types and values |
---|---|
echo
|
Echo request (1). Echo response (2). |
version-not-support
|
Version not supported (3). |
create-session
|
Create session request (32). Create session response (33). |
modify-bearer-req-resp
|
Modify bearer request (34). Modify bearer response (35). |
delete-session
|
Delete session request (36). Delete session response (37). |
change-notification
|
Change notification request (38). Change notification response (39). |
|
Remote UE report notification (40). Remote UE report acknowledge (41). |
modify-bearer-cmd-fail
|
Modify Bearer Command (64). Modify Bearer Failure Indication (65). |
delete-bearer-cmd-fail
|
Delete Bearer Command (66). Delete Bearer Failure Indication (67). |
bearer-resource-cmd-fail
|
Bearer Resource Command (68). Bearer Resource Failure Indication (69). |
|
Downlink Data Notification Failure Indication (70). |
trace-session
|
Trace Session Activation (71). Trace Session Deactivation (72). |
|
Stop Paging Indication (73). |
create-bearer
|
Create Bearer Request (95). Create Bearer Response (96). |
update-bearer
|
Update Bearer Request (97). Update Bearer Response (98). |
delete-bearer-req-resp
|
Delete Bearer Request (99). Delete Bearer Response (100). |
delete-pdn-connection-set
|
Delete PDN Connection Set Request (101). Delete PDN Connection Set Response (102). |
|
PGW Downlink Notification (103). PGW Downlink Acknowledge (104). |
|
Identification Request (128). Identification Response (129). |
|
Context Request (130). Context Response (131). Context Acknowledge (132). |
|
Forward Relocation Request (133). Forward Relocation Response (134). |
|
Forward Relocation Complete Notification (135). Forward Relocation Complete Acknowledge (136). |
|
Forward Access Context Notification (137). Forward Access Context Acknowledge (138). |
|
Relocation Cancel Request (139). Relocation Cancel Response (140). |
|
Configuration Transfer Tunnel (141). |
|
Detach Notification (149). Detach Acknowledge (150). |
|
CS Paging Indication (151). |
|
RAN Information Relay (152). |
|
Alert MME Notification (153). Alert MME Acknowledge (154). |
|
UE Activity Notification (155). UE Activity Acknowledge (156). |
|
ISR Status Indication (157). |
|
UE Registration Query Request (158). UE Registration Query Response (159). |
|
Create Forwarding Tunnel Request (160). Create Forwarding Tunnel Response (161). |
suspend
|
Suspend Notify (162). Suspend Acknowledge (163). |
resume
|
Resume Notify (164). Resume Acknowledge (165). |
|
Create Indirect Data Forwarding Tunnel Request (166). Create Indirect Data Forwarding Tunnel Response (167). |
|
Delete Indirect Data Forwarding Tunnel Request (168). Delete Indirect Data Forwarding Tunnel Response (169). |
|
Release Access Dearers Request (170). Release Access Bearers Response (171). |
|
Downlink Data Notification (176). Downlink Data Acknowledge (177). |
|
Reserved for Earlier Versions of the GTP Specification (178). |
|
PGW Restart Notification (179). PGW Restart Acknowledge (180). |
update-pdn-connection-set
|
Update PDN Connection Set Request (200). Update PDN Connection Set Response (201). |
|
Modify Access Bearers Request (211). Modify Access Bearers Response (212). |
|
MBMS Session Start Rrequest (231). MBMS Session Start Response (232). |
|
MBMS Session Update Request (233). MBMS Session Update Response (234). |
|
MBMS Session Stop Request (235). MBMS Session Stop Response (236). |