Fortinet white logo
Fortinet white logo

FortiOS Carrier

Adding GTPv2 policy filters to a GTP profile

Adding GTPv2 policy filters to a GTP profile

Use the following command to add a GTPv2 policy filter to a GTP profile:

config firewall gtp

edit <name>

set policy-filter enable

set default-policy-action {allow | deny}

config policy-v2

edit <id>

set apnmember <apn-name>

set messages {create-ses-req create-sess-res modify-bearer-req modify-bearer-res}

set apn-sel-mode {ms net vrf}

set max-apn-restriction {all public-1 public-2 private-1 private-2}

set imsi-prefix <prefix>

set msisdn-prefix <prefix>

set rat-type {any utran geran wlan gan hspa eutran virtual nbiot item nr}

set mei <mei-pattern>

set action {allow | deny}

set uli <cgi-uli-pattern> <sal-uli-pattern> <rai-uli-pattern> <rai-uli-pattern> <ecgi-uli-pattern> <lai-uli-pattern>

end

You must enable policy-filter to enable GTPv2 policy filtering.

Set default-policy-action to allow to allow traffic, then use config policy-v2 to create policy filters to filter the allowed traffic. Set default-policy-action to deny to block all traffic and then use config policy-v2 to create policy filters that match the traffic to be allowed.

Note

The default-policy-action setting applies to both GTPv0/v1 and GTPv2 policy filters.

If you set default-policy-action to deny and don't add a GTPv0/v1 policy filter to your GTP profile, the GTP profile will block all GTPv0/v1 traffic accepted by the firewall policy that the GTP profile is added to.

GTPv2 policy filtering from the GUI

To add a GTPv2 policy filter to a GTP profile from the GUI:

  1. Go to Security Profiles > GPRS Tunneling Protocol and create or edit a GTP profile.
  2. Enable Advanced Filtering.
  3. Set the Default Action.
    Note

    The Default Action applies to both GTPv0/v1 and GTPv2 policy filters.

    If you set Default Action to Allow, then all GTPv0/v1 and GTPv2 traffic is allowed and you can add GTPv0/v1 or GTPv2 policies to match traffic to block.

    If you set Default Action to Deny, the all GTPv0/v1 and GTPv2 traffic is blocked and you can add GTPv0/v1 or GTPv2 policies to match traffic to allow.

  4. To add a GTPv2 policy, select Create new > GTPv2 Policy.

  5. Set the Action to Allow or Deny for this policy.
  6. Select the PDP content Messages this policy matches.

    • Create Session Request

    • Create Session Response

    • Modify Bearer Request

    • Modify Bearer Response

  7. Select additional options depending on the Messages that you have selected.

  8. Select OK to save the policy.

GTPv2 policy filtering options

You can include the * wildcard character when adding MEI and ULI patterns. See the individual descriptions below for details.

action {allow | deny} Action allow (the default) or deny traffic matching this policy filter.

messages {create-ses-req create-sess-res modify-bearer-req modify-bearer-res} Messages select the content messages that the filter will match. Select one or more of the available options. Different policy filter options are available depending on the messages setting.

  • create-sess-req Create Session Request (the default). If you just select this message, all policy filter options are available.
  • create-sess-res Create Session Response. Only the max-apn-restriction and action policy filter options are available.
  • modify-bearer-req Modify Bearer Request. Only the rat-type, action, and uli policy filter options are available.
  • modify-bearer-res Modify Bearer Response. Only the max-apn-restriction and action policy filter options are available.

apnmember <apn-name>APN add an APN or APN group to the policy filter.

apn-sel-mode {ms net vrf} by default, all three modes are selected and this cannot be changed.

  • ms MS-provided APN, subscription not verified, indicates that the mobile station (MS) provided the APN and that the HSS did not verify the user's subscription to the network.
  • net Network-provided APN, subscription not verified, indicates that the network provided a default APN because the MS did not specify one, and that the HSS did not verify the user's subscription to the network.
  • sub MS or Network-provided APN, subscription verified, indicates that the MS or the network provided the APN and that the HSS verified the user's subscription to the network.

max-apn-restriction {all public-1 public-2 private-1 private-2} APN Restriction select one or more of the following APN restrictions. For information about APN restrictions, see the GTPv2 spec 3GPP TS 29.274 V15.9.0, subsection 8.57 APN Restriction.

  • all (the default) match all APNs with no restrictions.
  • public-1 match the Public-1 APN used on your network, for example MMS.
  • public-2 match your Public-2 APN used on your network, for example the internet.
  • private-1 match your Private-1 APN used on your network, for example Corporate users who use MMS.
  • private-2 match your Private-2 APN used on your network, for example Corporate users who do not use MMS.

rat-type {any utran geran wlan gan hspa eutran virtual nbiot item nr} RAT Type set the RAT Type as any combination of the following:

  • any any RAT (the default)

  • utran UTRAN

  • geran GERAN

  • wlan WLAN

  • gan GAN

  • hspa HSPA

  • eutran EUTRAN

  • virtual Virtual

  • nbiot NB-IoT

  • item LTE-M

  • nr NR

imsi-prefix <prefix> IMSI add an IMSI prefix.

msisdn-prefix <prefix> MSISDN add an MSISDN prefix.

mei <mei-pattern> IMEI add a single MEI or an MEI pattern (also called IMEI) that includes the * wildcard character to match multiple MEIs. The MEI uniquely identifies mobile hardware, and can be used to block stolen equipment.

A single MEI must be in three parts separated by a decimal point in the format: <8-digits>.<6-digits>.<1-or-2-digits>. For example: 35349006.987300.1.

In each part of the MEI pattern the * cannot be followed by a number. The following are some examples of valid MEI patterns:

35349006.*.*

*.987*.1

*.*.*

uli <cgi-uli-pattern> <sal-uli-pattern> <rai-uli-pattern> <rai-uli-pattern> <ecgi-uli-pattern> <lai-uli-pattern> add up to six different types of GTPv2 universal location information (ULI) patterns, separated by a space.

All of the ULI patterns have the format <MCC>.<MNC>.<ID>.<[ID2]>. MCC and MNC are decimal numbers of two or three digits (d). ID and ID2 are hexadecimal numbers of four digits (x).

  • <cgi-uli-pattern> CGI a CGI ULI with the format <ddd>.<dd[d]>.<xxxx>.<xxxx>. Example CGI ULI: 123.12.0a0a.0F0F.

  • <sai-uli-pattern> SAI is an SAI ULI with the format <ddd>.<dd[d]>.<xxxx>.<xxxx>. Example SAI ULI: 523.235.0b0a.0E0F.

  • <rai-uli-pattern> RAI is a Routing Area Identity (RAI) ULI with the format <ddd>.<dd[d]>.<xxxx>.<xx>. Example RAI ULI: 456.45.0c0c.0c.

  • <tai-uli-pattern> TAI is a Tracking Area Identity (TAI) ULI with the format <ddd>.<dd[d]>.<xxxx>. Example TAI ULI: 505.02.d008.

  • <ecgi-uli-pattern> ECGI is an E-UTRAN Cell Global Identifier (ECGI) ULI with the format <ddd><dd[d]>.<xxxxxxx>. Example ECGI ULI: 505.02.d008123.

  • <lai-uli-pattern> LAI is a Location Area Identifier (LAI) ULI with the format <ddd>.<dd[d]>.<xxxx>. Example LAI ULI: 345.08.d009.

Example syntax that includes all of the ULIs:

set uli 123.12.0a0a.0F0F 456.45.0b0b.0E0E 456.45.0c0c.0c 505.02.d008 505.02.d008123 505.02.d009

If you do not need to include all six ULIs, you can enter a subset and use 0 as a placeholder for missing ULIs. You do not need to add trailing zeros. For example, if you only need to include a CGI and a SAI ULI, you can just enter the two ULIs as follows.

set uli 123.12.0a0a.0F0F 123.12.0a0a.0F0F

If you need to include a RAI and ECGI ULI, use 0s for the missing ULIs as follows:

set uli 0 0 456.45.0c0c.0c 0 505.02.d008123

You can also use the * wildcard to create ULI patterns that match multiple ULIs. ULI patterns must include all of the required decimal points. In each part of the pattern the * cannot be followed by a number.

Example CGI ULI pattern: 123.*.0a0a.0F0F.

Example LAI ULI pattern: 345.08.d00*.

Adding GTPv2 policy filters to a GTP profile

Adding GTPv2 policy filters to a GTP profile

Use the following command to add a GTPv2 policy filter to a GTP profile:

config firewall gtp

edit <name>

set policy-filter enable

set default-policy-action {allow | deny}

config policy-v2

edit <id>

set apnmember <apn-name>

set messages {create-ses-req create-sess-res modify-bearer-req modify-bearer-res}

set apn-sel-mode {ms net vrf}

set max-apn-restriction {all public-1 public-2 private-1 private-2}

set imsi-prefix <prefix>

set msisdn-prefix <prefix>

set rat-type {any utran geran wlan gan hspa eutran virtual nbiot item nr}

set mei <mei-pattern>

set action {allow | deny}

set uli <cgi-uli-pattern> <sal-uli-pattern> <rai-uli-pattern> <rai-uli-pattern> <ecgi-uli-pattern> <lai-uli-pattern>

end

You must enable policy-filter to enable GTPv2 policy filtering.

Set default-policy-action to allow to allow traffic, then use config policy-v2 to create policy filters to filter the allowed traffic. Set default-policy-action to deny to block all traffic and then use config policy-v2 to create policy filters that match the traffic to be allowed.

Note

The default-policy-action setting applies to both GTPv0/v1 and GTPv2 policy filters.

If you set default-policy-action to deny and don't add a GTPv0/v1 policy filter to your GTP profile, the GTP profile will block all GTPv0/v1 traffic accepted by the firewall policy that the GTP profile is added to.

GTPv2 policy filtering from the GUI

To add a GTPv2 policy filter to a GTP profile from the GUI:

  1. Go to Security Profiles > GPRS Tunneling Protocol and create or edit a GTP profile.
  2. Enable Advanced Filtering.
  3. Set the Default Action.
    Note

    The Default Action applies to both GTPv0/v1 and GTPv2 policy filters.

    If you set Default Action to Allow, then all GTPv0/v1 and GTPv2 traffic is allowed and you can add GTPv0/v1 or GTPv2 policies to match traffic to block.

    If you set Default Action to Deny, the all GTPv0/v1 and GTPv2 traffic is blocked and you can add GTPv0/v1 or GTPv2 policies to match traffic to allow.

  4. To add a GTPv2 policy, select Create new > GTPv2 Policy.

  5. Set the Action to Allow or Deny for this policy.
  6. Select the PDP content Messages this policy matches.

    • Create Session Request

    • Create Session Response

    • Modify Bearer Request

    • Modify Bearer Response

  7. Select additional options depending on the Messages that you have selected.

  8. Select OK to save the policy.

GTPv2 policy filtering options

You can include the * wildcard character when adding MEI and ULI patterns. See the individual descriptions below for details.

action {allow | deny} Action allow (the default) or deny traffic matching this policy filter.

messages {create-ses-req create-sess-res modify-bearer-req modify-bearer-res} Messages select the content messages that the filter will match. Select one or more of the available options. Different policy filter options are available depending on the messages setting.

  • create-sess-req Create Session Request (the default). If you just select this message, all policy filter options are available.
  • create-sess-res Create Session Response. Only the max-apn-restriction and action policy filter options are available.
  • modify-bearer-req Modify Bearer Request. Only the rat-type, action, and uli policy filter options are available.
  • modify-bearer-res Modify Bearer Response. Only the max-apn-restriction and action policy filter options are available.

apnmember <apn-name>APN add an APN or APN group to the policy filter.

apn-sel-mode {ms net vrf} by default, all three modes are selected and this cannot be changed.

  • ms MS-provided APN, subscription not verified, indicates that the mobile station (MS) provided the APN and that the HSS did not verify the user's subscription to the network.
  • net Network-provided APN, subscription not verified, indicates that the network provided a default APN because the MS did not specify one, and that the HSS did not verify the user's subscription to the network.
  • sub MS or Network-provided APN, subscription verified, indicates that the MS or the network provided the APN and that the HSS verified the user's subscription to the network.

max-apn-restriction {all public-1 public-2 private-1 private-2} APN Restriction select one or more of the following APN restrictions. For information about APN restrictions, see the GTPv2 spec 3GPP TS 29.274 V15.9.0, subsection 8.57 APN Restriction.

  • all (the default) match all APNs with no restrictions.
  • public-1 match the Public-1 APN used on your network, for example MMS.
  • public-2 match your Public-2 APN used on your network, for example the internet.
  • private-1 match your Private-1 APN used on your network, for example Corporate users who use MMS.
  • private-2 match your Private-2 APN used on your network, for example Corporate users who do not use MMS.

rat-type {any utran geran wlan gan hspa eutran virtual nbiot item nr} RAT Type set the RAT Type as any combination of the following:

  • any any RAT (the default)

  • utran UTRAN

  • geran GERAN

  • wlan WLAN

  • gan GAN

  • hspa HSPA

  • eutran EUTRAN

  • virtual Virtual

  • nbiot NB-IoT

  • item LTE-M

  • nr NR

imsi-prefix <prefix> IMSI add an IMSI prefix.

msisdn-prefix <prefix> MSISDN add an MSISDN prefix.

mei <mei-pattern> IMEI add a single MEI or an MEI pattern (also called IMEI) that includes the * wildcard character to match multiple MEIs. The MEI uniquely identifies mobile hardware, and can be used to block stolen equipment.

A single MEI must be in three parts separated by a decimal point in the format: <8-digits>.<6-digits>.<1-or-2-digits>. For example: 35349006.987300.1.

In each part of the MEI pattern the * cannot be followed by a number. The following are some examples of valid MEI patterns:

35349006.*.*

*.987*.1

*.*.*

uli <cgi-uli-pattern> <sal-uli-pattern> <rai-uli-pattern> <rai-uli-pattern> <ecgi-uli-pattern> <lai-uli-pattern> add up to six different types of GTPv2 universal location information (ULI) patterns, separated by a space.

All of the ULI patterns have the format <MCC>.<MNC>.<ID>.<[ID2]>. MCC and MNC are decimal numbers of two or three digits (d). ID and ID2 are hexadecimal numbers of four digits (x).

  • <cgi-uli-pattern> CGI a CGI ULI with the format <ddd>.<dd[d]>.<xxxx>.<xxxx>. Example CGI ULI: 123.12.0a0a.0F0F.

  • <sai-uli-pattern> SAI is an SAI ULI with the format <ddd>.<dd[d]>.<xxxx>.<xxxx>. Example SAI ULI: 523.235.0b0a.0E0F.

  • <rai-uli-pattern> RAI is a Routing Area Identity (RAI) ULI with the format <ddd>.<dd[d]>.<xxxx>.<xx>. Example RAI ULI: 456.45.0c0c.0c.

  • <tai-uli-pattern> TAI is a Tracking Area Identity (TAI) ULI with the format <ddd>.<dd[d]>.<xxxx>. Example TAI ULI: 505.02.d008.

  • <ecgi-uli-pattern> ECGI is an E-UTRAN Cell Global Identifier (ECGI) ULI with the format <ddd><dd[d]>.<xxxxxxx>. Example ECGI ULI: 505.02.d008123.

  • <lai-uli-pattern> LAI is a Location Area Identifier (LAI) ULI with the format <ddd>.<dd[d]>.<xxxx>. Example LAI ULI: 345.08.d009.

Example syntax that includes all of the ULIs:

set uli 123.12.0a0a.0F0F 456.45.0b0b.0E0E 456.45.0c0c.0c 505.02.d008 505.02.d008123 505.02.d009

If you do not need to include all six ULIs, you can enter a subset and use 0 as a placeholder for missing ULIs. You do not need to add trailing zeros. For example, if you only need to include a CGI and a SAI ULI, you can just enter the two ULIs as follows.

set uli 123.12.0a0a.0F0F 123.12.0a0a.0F0F

If you need to include a RAI and ECGI ULI, use 0s for the missing ULIs as follows:

set uli 0 0 456.45.0c0c.0c 0 505.02.d008123

You can also use the * wildcard to create ULI patterns that match multiple ULIs. ULI patterns must include all of the required decimal points. In each part of the pattern the * cannot be followed by a number.

Example CGI ULI pattern: 123.*.0a0a.0F0F.

Example LAI ULI pattern: 345.08.d00*.