General GTP profile settings
The following general settings are available when creating and editing GTP profiles from the CLI.
A subset of these settings is also available when editing a GTP profile on the GUI. To configure GTP profile general settings from the GUI, edit a GTP profile and open General Settings.
config firewall gtp
edit <name>
set gtp-in-gtp {allow | deny}
set min-message-length <length>
set max-message-length <length>
set tunnel-limit <number-of-tunnels>
set tunnel-timeout <time>
set control-plane-message-rate-limit <packets-per-second>
set handover-group <firewall-address>
set handover-group6 <ipv6-firewall-address>
set authorized-sgsns <firewall-address>
set authorized-sgsns6 <ipv6-firewall-address>
set invalid-sgsns-to-log <firewall-address>
set authorized-ggsns <firewall-address>
set authorized-ggsns6 <ipv6-firewall-address>
set remove-if-echo-expires (disable | enable}
set remove-if-recovery-differ (disable | enable}
set send-delete-when-timeout (disable | enable}
set send-delete-when-timeout-v2 (disable | enable}
set unknown-version-action {allow | deny}
set echo-request-interval <time>
set half-open-timeout <timeout>
set half-close-timeout <timeout>
set monitor-mode {disable | enable | vdom}
end
Option |
Description |
---|---|
gtp-in-gtp
|
On the GUI: General Settings > GTP-in-GTP. Select allow to enable GTP packets to be allowed to contain GTP packets, or a GTP tunnel inside another GTP tunnel. To block all GTP-in-GTP packets, select deny . |
min-message-length
|
On the GUI: General Settings > Message length. Define the acceptable message size range in bytes. Normally this is controlled by the protocol, and will vary for different message types. If a packet is smaller or larger than this range, it is discarded as it is likely malformed and a potential security risk. The default ranges is 0 to 1452 bytes. |
tunnel-limit
|
On the GUI: General Settings > Tunnel limit. See GTP tunnel limiting. |
tunnel-timeout
|
On the GUI: General Settings > Tunnel timeout. Enter the maximum number of seconds that a GTP tunnel is allowed to remain active. After the timeout, FortiOS Carrier deletes GTP tunnels that have stopped processing data. A GTP tunnel may hang for various reasons. For example, during the GTP tunnel tear-down stage, the delete pdap context response message may get lost. By setting a timeout value, FortiOS Carrier will remove hanging tunnels. The default is 86400 seconds, or 24 hours. |
control-plane-message-rate-limit
|
On the GUI: General Settings > Control plane message rate limit. Enter the number of packets per second to limit the traffic rate to protect the GSNs from possible Denial of Service (DoS) attacks. The default limit of 0 does not limit the message rate. GTP DoS attacks can include: Border gateway bandwidth saturation: A malicious operator can connect to your IPX/GRX and generate high traffic towards your Border Gateway to consume all the bandwidth. GTP flood: A GSN can be flooded by illegitimate traffic. |
handover-group
|
On the GUI: General Settings > Handover group. Select the firewall address that contains the list of IP addresses allowed to take over a GTP session when the mobile device moves locations. Handover is a fundamental feature of GPRS/UMTS, which enables subscribers to seamlessly move from one area of coverage to another with no interruption of active sessions. Session hijacking can come from the SGSN or the GGSN, where a fraudulent GSN can intercept another GSN and redirect traffic to it. This can be exploited to hijack GTP tunnels or cause a denial of service. When the handover group is defined it acts like an allow list with an implicit default deny at the end — the GTP address must be in the group or the GTP message will be blocked. This stops handover requests from untrusted GSNs. |
handover-group6
|
On the GUI: General Settings > Handover group (IPv6). Select the IPv6 firewall address that contains the list of IP addresses allowed to take over a GTP session when the mobile device moves locations. |
authorized-sgsns
|
On the GUI: General Settings > Authorized SGSNs. Select a firewall address that only allows authorized SGSNs and SGWs that match the firewall address to send packets through FortiOS Carrier and to block unauthorized SGSNs and SGWs. You can use authorized SGSNs to allow packets from SGSNs or SGWs that have a roaming agreement with your organization. |
|
On the GUI: General Settings > Authorized SGSNs (IPv6). Select an IPv6 firewall address that only allows authorized SGSNs and SGWs that match the IPv6 firewall address to send packets through FortiOS Carrier and to block unauthorized SGSNs and SGWs. You can use authorized SGSNs to allow packets from SGSNs or SGWs that have a roaming agreement with your organization. |
invalid-sgsns-to-log
|
Select a firewall address to match invalid SGSNs and record an invalid SGSN log message when a matching invalid SGSN is found. |
authorized-ggsns
|
On the GUI: General Settings > Authorized GGSNs. Select a firewall address that only allows authorized GGSNs or PGWs to send packets through the FortiGate and to block unauthorized GGSNs. You can use authorized GGSNs or PGWs to allow packets from GGSNs or PGWs that have a roaming agreement with your organization. |
|
On the GUI: General Settings > Authorized GGSNs (IPv6). Select an IPv6 firewall address that only allows authorized GGSNs or PGWs to send packets through the FortiGate and to block unauthorized GGSNs. You can use authorized GGSNs or PGWs to allow packets from GGSNs or PGWs that have a roaming agreement with your organization. |
remove-if-echo-expires
|
Enable to remove sessions if the echo response expires. Disabled by default. |
remove-if-recovery-differ
|
Enable to remove a session if the recovery IE is different. Disabled by default. |
send-delete-when-timeout |
Enable to send a DELETE request to path endpoints when a GTPv0/v1 tunnel times out. Disabled by default. |
send-delete-when-timeout-v2 |
Enable to send a DELETE request to path endpoints when a GTPv2 tunnel times out. Disabled by default. |
unknown-version-action
|
Allow or deny sessions with unknown GTP versions. Unknown GTP versions are allowed by default. |
echo-request-interval
|
Set the amount of time to wait for an echo request. The default is 0, which means no limit on the amount of time to wait for an echo request. |
half-open-timeout |
Set the half-open timeout in seconds for GTP sessions. The range is 1 to 300 and the default is 300. This option allows you to use the GTP profile to customize the half-open timer for GTP sessions. |
half-close-timeout |
Set the half-close timeout in seconds for GTP sessions. The range is 1 to 30 and the default is 10. This option allows you to use the GTP profile to customize the half-close timer for GTP sessions. |
|
Set the GTP monitor mode for all GTP versions. You can enable or disable global monitoring mode or select When enabled, if a GTP packet is to be dropped due to a GTP deny case such as:
instead of being dropped, it will be forwarded and logged with the original deny log message and a |