: Discover Mobile Device Attributes
Focus
Focus

Discover Mobile Device Attributes

Table of Contents

Discover Mobile Device Attributes

IoT Security discovers the attributes of mobile devices in G3, G4, and G5 cellular networks.
IoT Security can learn mobile (cellular) device attributes, add the devices to its inventory, and track them by the IMEI numbers. You can then see various mobile device attributes for them on the AssetsDevices and Device Details pages. You can also use the mobile device attributes when creating custom alerts. However, because they are classified as Traditional IT, IoT Security doesn’t make policy rule recommendations or send firewalls IP address-to-device mappings for mobile devices.

Set up PAN-OS to Send IoT Security Mobile Device Attributes

This assumes that IoT Security is already onboarded on your firewall, it has the required licenses and certificates, and logging is enabled.
  1. Enable GTP Security on the firewall.
    1. Log in to PAN-OS, select DeviceSetupManagement, and then click Edit (the gear icon) for General Settings.
    2. Select GTP Security and then click OK.
    3. Commit your changes and then select DeviceOperationsReboot Device.
  2. Create a Log Forwarding profile that includes GTP logging.
    1. Log back in and select ObjectsLog ForwardingAdd.
    2. Enter a name for the log forwarding profile like Mobile Device Logging, select Enable enhanced application logging to Strata Logging Service, and then click OK.
  3. Create a Mobile Network Protection profile for the types of mobile devices on the network.
    The following are the recommended settings that enable the correlation of user IDs and equipment IDs to user equipment IP addresses (UEIP) for different mobile devices. For details about each setting, see the Mobile Network Protection Profile help in PAN-OS.
    • 5G mobile devices with RADIUS
      1. Select ObjectsSecurity ProfilesMobile Device Protection and then click Add.
      2. Enter a name for the profile such as RADIUS Correlation, click Correlation, and then enter the following:
        UEIP Correlation: (select)
        Mode: Loose
        User Plane with GTP-U encapsulation: (clear)
        Source: RADIUS
        Log At Ueip Start: (select)
        Log At Ueip End: (select)
      3. Click GTP InspectionGTP-U, and then enter the following to perform validity checks of the Information Element (IE) in GTP headers and generate alerts if any irregularities are found:
        Alert: (select)
        Reserved IE: (select)
        Order of IE: (select)
        Length of IE: (select)
        Spare Flag in Header: (select)
        Unsupported message type: (select)
        GTP-in-GTP: alert
    • 5G mobile devices with Packet Forwarding Control Protocol (PFCP)
      1. Select ObjectsSecurity ProfilesMobile Device Protection and then click Add.
      2. Enter a name for the profile such as PFCP-5G Correlation, click Correlation, and then enter the following:
        UEIP Correlation: (select)
        Mode: Loose
        User Plane with GTP-U encapsulation: (clear)
        Source: PFCP
        Log At Ueip Start: (select)
        Log At Ueip End: (select)
      3. Click GTP InspectionGTP-U, and then enter the following to perform validity checks of the IE in GTP headers and generate alerts if any irregularities are found:
        Alert: (select)
        Reserved IE: (select)
        Order of IE: (select)
        Length of IE: (select)
        Spare Flag in Header: (select)
        Unsupported message type: (select)
        GTP-in-GTP: alert
    • 3G and 4G mobile devices with GTP-C
      1. Select ObjectsSecurity ProfilesMobile Device Protection and then click Add.
      2. Enter a name for the profile such as GTP-C-3G4G Correlation, and then enter the following in the GTP-C tab to use stateful inspection, perform validity checks of the IE in GTP headers, and generate alerts if irregularities are found:
        GTPv1-C
        Stateful Inspection: (select)
        Alert: (select)
        Reserved IE: (select)
        Order of IE: (select)
        Length of IE: (select)
        Spare Flag in Header: (select)
        Unsupported message type: (select)
        GTPv2-C:
        Stateful Inspection: (select)
        Alert: (select)
        Reserved IE: (select)
        Length of IE: (select)
        Spare Flag in Header: (select)
        Unsupported message type: (select)
      3. Click GTP-U, and then enter the following:
        Alert: (select)
        Reserved IE: (select)
        Order of IE: (select)
        Length of IE: (select)
        Spare Flag in Header: (select)
        Unsupported message type: (select)
        GTP-in-GTP: alert
        Log at GTP-U session start: (select)
        Log at GTP-U session end: (select)
        GTP-U Content Inspection: (select)
  4. Create Security policy rules to log mobile device traffic and forward the logs to the logging service.
    Create Security policy rules to log mobile device traffic and forward logs to the logging service for IoT Security to analyze. The rules you create depend on the generation of mobile devices on the network and whether the network uses RADIUS or PFCP.
    • 5G mobile devices with RADIUS
      1. Select PoliciesSecurity and then click Add.
      2. Create a universal Security policy rule with the following settings:
        Allow radius as the application from any source to any destination.
        In the Actions tab, choose Profiles as the Profile Type, choose the Mobile Network Protection profile you created previously for the RADIUS correlation, select Log at Session Start and Log at Session End, and choose the Log Forwarding profile you previously created.
        Click OK.
      3. Click Add and then create a universal Security policy rule with the following settings:
        In the Actions tab, choose None as the Profile Type, select Log at Session Start and Log at Session End, and choose the Log Forwarding profile you previously created.
        Allow any application from any source to any destination.
        Click OK.
      4. If necessary, reposition the first rule above the second in the ruleset.
    • 5G mobile devices with PFCP
      1. Select PoliciesSecurity and then click Add.
      2. Create a universal Security policy rule with the following settings:
        Allow pfcp as the application from any source to any destination.
        In the Actions tab, choose Profiles as the Profile Type, choose the Mobile Network Protection profile you created previously for the PFCP 5G correlation, select Log at Session Start and Log at Session End, and choose the Log Forwarding profile you previously created.
        Click OK.
      3. Click Add and then create a universal Security policy rule with the following settings:
        Allow gtp-u as the application from any source to any destination.
        In the Actions tab, choose Profiles as the Profile Type, choose the Mobile Network Protection profile you created previously for the PFCP 5G correlation, select Log at Session Start and Log at Session End, and choose the Log Forwarding profile you previously created.
        Click OK.
      4. Click Add and then create a universal Security policy rule with the following settings:
        Allow any application from any source to any destination.
        In the Actions tab, choose None as the Profile Type, select Log at Session Start and Log at Session End, and choose the Log Forwarding profile you previously created.
        Click OK.
      5. If necessary, reposition rules so that the first and second rules are above the third in the ruleset.
    • 3G and 4G mobile devices with GTP-C
      1. Select PoliciesSecurity and then click Add.
      2. Create a universal Security policy rule with the following settings:
        Allow gtpv1-c and gtpv2-c as the application from any source to any destination.
        In the Actions tab, choose Profiles as the Profile Type, choose the Mobile Network Protection profile you created previously for the GTP-C 3G and 4G correlation, select Log at Session Start and Log at Session End, and choose the Log Forwarding profile you previously created.
        Click OK.
      3. Click Add and then create a universal Security policy rule with the following settings:
        Allow gtp-u as the application from any source to any destination.
        In the Actions tab, choose Profiles as the Profile Type, choose the Mobile Network Protection profile you created previously for the GTP-C 3G and 4G correlation, select Log at Session Start and Log at Session End, and choose the Log Forwarding profile you previously created.
        Click OK.
      4. Click Add and then create a universal Security policy rule with the following settings:
        Allow any application from any source to any destination.
        In the Actions tab, choose None as the Profile Type, select Log at Session Start and Log at Session End, and choose the Log Forwarding profile you previously created.
        Click OK.
      5. If necessary, reposition rules so that the first and second rules are above the third in the ruleset.
  5. Commit the configuration

View Mobile Device Attributes in IoT Security

After the firewall begins logging mobile device traffic, it forwards the traffic metadata in GTP logs to the logging service, which in turn streams it to IoT Security. To check the status of the GTP logs, log in to the IoT Security portal and select AdministrationFirewalls. There you can see if IoT Security is receiving GTP logs, the time of the latest log, and how many GTP log events and bytes it’s received.
To see mobile device attributes in the device inventory on the Devices page, select AssetsDevices. Because the Mobile Device columns are hidden by default, click the icon with three vertical bars to open the column selection panel, and select all the columns you want to see. All the columns displaying mobile device attributes are available in the Mobile section:
  • Mobile Equipment Identity – The 15-to-17-digit code assigned to every mobile device to uniquely identify it International Mobile Equipment Identity (IMEI)
  • Mobile Subscriber Identity – A unique identifier issued on a Subscriber Identity Module (SIM) card. In 2G, 3G, and 4G networks, this identifier is referred to as International Mobile Subscriber Identity (IMSI). In 5G networks, it is called Subscription Permanent Identifier (SUPI).
  • Mobile Subscriber ISDN – The Integrated Services Digital Network number is a mapping of a cellular telephone number to a mobile subscriber
  • Mobile APN (Access Point Name) – Term used to identify the external Packet Data Network (PDN) to which mobile devices connect through the 2G, 3G, or 4G cellular network. In a 5G network, it refers to the Data Network Name (DNN).
  • Radio Access Technology – The underlying connection method mobile devices use for wireless radio communications; for example, Bluetooth, Wi-Fi, UMTS, LTE, or 5G NR
  • Mobile Base Station Code – The identification number that uniquely identify a cellular base station
  • Mobile Area Code – The area code of the user’s location
  • Mobile Network Code (MNC) – A two-digit (European standard) or three-digit (North American standard) number identifying the Public Land Mobile Network (PLMN) of the mobile subscriber
  • Mobile Country Code (MCC) – A three-digit number identifying the country of the mobile subscriber
  • Mobile TAC (Type Allocation Code) – An eight-digit number that identifies the manufacturer of a mobile device
  • Network Slice – The logically discrete section of network operating over a common infrastructure
  • Mobile Device – The end user device operating on a wireless network
In addition to showing columns with these attributes in the inventory table, you can also use them in filters and queries at the top of the Devices page. They are displayed on the Device Details page of mobile devices and are available for use when creating custom alert rules.