New Deployment Option for GTP Security in 3G/4G Networks
Table of Contents
New Deployment Option for GTP Security in 3G/4G Networks
If you deploy the firewall for RAN security in a mobile
network that uses both 3G and 4G/LTE technologies, the firewall now supports a new deployment option that
enforces GTP security in network topologies that contain a combo
node of a Serving Gateway (SGW) and Packet Gateway (PGW) known as
S-PGW. In this network topology, the S5 interface is not exposed,
so to support migration between 3G and 4G/LTE, PAN-OS 10.2.0 introduces
support for the Gn (SGSN-MME) interface.
GTP security supports the following procedures as defined in 3GPP TS 23.401 version 15.12.0:
- MME to 3G SGSN combined hard handover and SRNS relocation procedure
- 3G SGSN to MME combined hard handover and SRNS relocation procedure
- Routing Area Update
- Gn/Gp SGSN to MME Tracking Area Update
- E-UTRAN to GERAN A/Gb mode Inter RAT handover
- GERAN A/Gb mode to E-UTRAN Inter RAT handover
The firewall generates the following GTP messages to support
this new capability when you enable Tunnel Management for GTPv1-C
allowed messages.
| GTP | Message Value | Message Type | |
|---|---|---|---|
| Decimal | Hexadecimal | ||
| GTPv1-C | 1 | 1 | Forward Relocation Request |
| 2 | 2 | Forward Relocation Response | |
| 3 | 3 | Forward Relocation Complete | |
| 4 | 4 | Forward Relocation Complete Acknowledge | |
| 5 | 5 | SGSN Context Request | |
| 6 | 6 | SGSN Context Response | |
| 7 | 7 | SGSN Context Acknowledge | |
In the following network topology, to apply security policy to
user and control traffic, the firewall must be positioned on the
4G/LTE interfaces, including the Control Plane (S11) and User Plane
(S1-U), as well as the 3G interfaces which include the Control Plane
(Gn [SGSN-MME]) and the Control and User Plane (Gn [SGSN-GGSN]).
You must enable enable GTP Security for
complete subscriber level and equipment level visibility and policy
control for threat and traffic in their network.
