Configure Intelligent Security using GTP for User Equipment to IP Address Correlation
Table of Contents
Expand all | Collapse all
-
- Intelligent Security and the UEIP Database
- Intelligent Security with PFCP for User Equipment to IP Address Correlation
- Configure Intelligent Security using PFCP for User Equipment to IP Address Correlation
- Configure Intelligent Security using RADIUS for User Equipment to IP Address Correlation
- Configure Intelligent Security using GTP for User Equipment to IP Address Correlation
Configure Intelligent Security using GTP for User Equipment to IP Address Correlation
Learn how to configure Intelligent Security using GTP for User Equipment to IP
Address Correlation for Security policy enforcement.
If you select GTP as the source of the traffic that you want to inspect using
Intelligent Security to map the IMSI or IMEI to subscriber or user IP addresses, you
can also:
- apply GTP protocol (including GTPv1-C, GTPv2-C, and GTP-U) security with validity checks
- perform a mandatory IE check
- check GTP-in-GTP traffic
- use RAT, IMSI, or Access Point Name (APN) filtering
- get visibility for important mobility context information contained in GTP session start or session end logs
Intelligent Security using GTP does not support:
- GTP stateful inspection and GTP message order check
- Validation for GTP-U tunnel setup
- End User IP Address Spoofing
Intelligent Security using GTP supports the following deployments:
- Perimeter security on the SGi interface with GTP traffic on the S11 interfaces in a 4G network: For this scenario, deploy the firewall for perimeter security on the SGi interface and map user equipment (UE) to IP addresses for UE subscriber and equipment traffic. The firewall inspects the GTPv2-C protocol traffic on the S11 interface.
- RAN security on the S1-U interface with GTP traffic on the S11 interfaces in a 4G network: In this configuration, deploy the firewall for RAN security on the S1-U or GTP-U interface and map the UE to IP addresses for UE subscriber and equipment traffic. The firewall inspects the GTPv2-C protocol traffic on the S11 interface.
- Core security on the S5-U interface with GTP traffic on the S5-C interfaces in a 4G network: For this scenario, deploy the firewall on the S5-U interface and map the UE to IP addresses for UE subscriber and equipment traffic. The firewall inspects the GTPv2-C protocol traffic on the S5 or S8-C interface.
- Roaming security on the S8-U interface with the GTP traffic on S8-C interfaces in a 4G network: In this scenario, deploy the firewall on the S8-U interface and map UE to IP addresses for UE subscriber and equipment traffic. The firewall inspects the GTPv2-C protocol traffic on the S8-C interface.
- Enable GTP Security.
- Log in to the firewall web interface.
- Selectthen selectDeviceSetupManagementGeneral SettingsGTP Security.
- ClickOK.
- Committhe change.
- SelectandDeviceSetupOperationsReboot Device.
- Create a Mobile Network Protection Profile.
- SelectandObjectsSecurity ProfilesMobile Network ProtectionAdda new profile.
- Give the profile a uniqueName.
- SelectCorrelationand enableUEIP Correlation.
- Select theModeyou want to use.
- Loose—(Default) When the firewall detects traffic, it queries the source or destination address to find the correlated IMEI or IMSI information. If there are no results, the firewall forwards the traffic.
- Strict—Drops the traffic if the GTP-U query does not return any results.
- Based on your deployment, select whether you want to enable theUser Plane with GTP-U encapsulationoption.
- Enablethe option if you deploy the firewall on theN3/S1U interface.
- Disablethe option if you deploy the firewall on theSGi/N6 interface.
- SelectGTPas theSource.Select theSourcethat you want the firewall to use to correlate the management plane and user plane information for subscriber-level and equipment-level Security policy enforcement. The firewall inspects traffic for that source type to extract 5G/4G identity information, such as subscriber ID (SUPI and IMSI), equipment ID (PEI and IMEI), and the IP address of the UE, for correlation with 5G/4G subscriber Internet Protocol traffic.If you select GTP as the source type for UEIP Correlation, the 5G-C and PFCP options are not available.
- (Optional) Select whether you want to log UEIP Correlation events when the firewall allocates an IP address to the UE (Log At Ueip Start), when the firewall releases the allocated IP address (Log At Ueip End), or both.The firewall logs the following GTP events during IP address correlation that you can view by going to:MonitorLogsGTP
- UEIP mapping start
- UEIP mapping end
The logs contain the following user information:- Subscriber Identity (including IMSI and SUPI)
- Equipment Identity (including IMEI and PEI)
- End User IP address allocated to UE
- APN
- Radio Access Technology (RAT)
- Select theGTP Inspectiontab and selectGTP-Cif it's not already selected, then select theValidity Checksyou want the firewall to perform for GTP traffic and theActionthe firewall performs if the validity check isn't successful (BlockorAlert). ClickOKto confirm the configuration.Stateful inspection isn't available if you enable UEIP Correlation.
- Create a Security policy to identify and allow GTP-C traffic between the MME and SGW (or between the SGSN and the GCSN, depending on your deployment).There are two methods for policy creation based on the necessary level of security for GTP-C traffic. Select the appropriate method based on your security needs.
- (Recommended for SGi deployments) To allow all traffic between the MME and the SGW (or SGSN and GGSN), as well as the PGW-U or GGSN and the Data Network zones:
- SelectandPoliciesSecurityAdda uniqueNamefor the rule in theGeneraltab.
- In theSourcetab,AddtheSource ZoneasAny(or all zones for S11, S5 Gn, Gi, and SGi) and theSource AddressasAny.
- In theDestinationtab,AddtheDestination ZoneasAny(or all zones for S11, S5 Gn, Gi, and SGi) and theDestination AddressasAny.
- In theApplicationtab,Addgtpv2-corgtpv1-cas theApplicationyou want to allow, depending on your deployment.
- In theService/URL Categorytab, select theServiceasAny.
- In theActionstab, select theActionasAllow.
- Attach theMobile Network Protection profileto the Security policy rule by selectingProfilesand selecting the profile as theProfile Type.
- SelectLog at Session Endif it's not already selected.
- (Recommended for S1-U deployments) Toallow GTP-C application traffic only between the MME and the SGW (or SGSN and GGSN):
- SelectandPoliciesSecurityAdda uniqueNamefor the rule in theGeneraltab.
- In theSourcetab,Addthe IP address that the MME uses to communicate with the SGW (or the IP address that the MME uses to communicate with the SGW, depending on your deployment) asSource ZoneandSource Address.
- In theDestinationtab,Addthe IP address that the MME uses to communicate with the SGW (or the IP address that the MME uses to communicate with the SGW, depending on your deployment) as theDestination ZoneandDestination Address.
- In theApplicationtab,Addgtpv2-corgtpv1-cas theApplicationyou want to allow.
- In theService/URL Categorytab, select theServiceasAny.
- In theActionstab, select theActionasAllow.
- Attach theMobile Network Protection profileto the Security policy rule by selectingProfilesand selecting the profile as theProfile Type.
- SelectLog at Session Endif it's not already selected.
- Create a custom application and a Security policy that uses the custom application. (Required if you allow traffic between only the MME and the SGW or SGSN and GGSN)Because the firewall must apply this policy rule first to process the first packet of all user traffic and enables UEIP database querying, move this policy rule above any other policy rules in your Security policy for user traffic on the N6 interface. Any application-specific or IMSI/IMEI-based policy rules must occur after this policy rule.
- SelectandObjectsApplicationsAdda uniqueNamefor the application (for example,gtp-ueip), then clickOK.
- SelectandPoliciesSecurityAdda uniqueNamefor the policy rule.
- In theSourcetab,Addthe zone that contains traffic to the PGW-U-SGi or GGSN-U-Gi (depending on your deployment) as theSource Zoneand selectAnyas theSource Address. If you use an IP pool for the UE IP address, add the IP pool as theSource Address.Don't select anything in theSource SubscriberorSource Equipmenttabs.
- In theDestinationtab,Addthe zone that contains traffic to the Packet Data Network as theDestination Zoneand selectAnyas theDestination Address.
- In theService/URL Categorytab, selectAnyas theService.
- In theActionstab, selectAllowas theAction.
- Attach theMobile Network Protection profileto the Security policy rule by selectingProfilesand selecting the profile you created in step 2 as theProfile Type.
- SelectLog at Session Endif it's not already selected.
- (Recommended for S1-U deployments) Create bidirectional Security policy rules to identify and allow GTP-U application traffic on the N3 interface.
- SelectandPoliciesSecurityAdda uniqueNamefor the rule in theGeneraltab.
- In theSourcetab,AddtheSource Zoneand theSource Addressof the base station and the SGW-S1-U (or the SGSN-U and GGSN-U, depending on your deployment).
- In theDestinationtab,AddtheDestination Zoneand theDestination Addressof the base station and the SGW-S1-U (or the SGSN-U and GGSN-U, depending on your deployment).
- In theApplicationtab,Addgtp-uas theApplicationyou want to allow.
- In theService/URL Categorytab, select theServiceasAny.
- In theActionstab, select theActionasAllow.
- Attach theMobile Network Protection profileto the Security policy rule by selectingProfilesand selecting the profile as theProfile Type.When the firewall identifies GTP-U traffic between the base station and the SGW-S1-U, the firewall decapsulates the inner traffic from the UE and searches for the UEIP mapping in the correlation database.
- SelectLog at Session Endif it's not already selected.
- (Recommended for S1U or Gn-U and SGi or Gi) deployments) Create other Security policy rules based on data (such as IP address, application, URL category, IMSI, or IMEI) to identify and allow UE traffic.If your deployment requires IP Bases Deny Rules for UE traffic in N6 deployment mode, then move the deny rule above the rule created in step 3 to ensure the Traffic logs contain the IMSI or IMEI correlation information.
- SelectandPoliciesSecurityAdda uniqueNamefor the rule in theGeneraltab.
- In theSourcetab,AddtheSource Zoneand theSource Addressyou want to allow. If you use an IP pool for the UE IP address, add the IP pool as theSource Address.
- AddtheSource Subscriberand theSource Equipmentyou want to allow.
- In theDestinationtab,AddtheDestination Zoneand theDestination Address. SelectAnyto allow internet access or specify the addresses of the servers in the corporate network.
- In theApplicationtab,Addas theApplicationtypes you want to allow ( for exampledns,web-browsing, orSSL).
- In theService/URL Categorytab, select theServicetypes you want to allow.
- In theActionstab, select theActionyou want the firewall to take (AlloworDenythe traffic).
- SelectLog at Session Endif it's not already selected.
- (Recommended for SGi or Gi deployments if your policy allows all traffic between the MME and the SGW or SGSN and GGSN) Create a policy rule as the last rule in your policy to allow all traffic that did not match any other policy rule.This is strongly recommended for at least the initial stages of deployment.
- SelectandPoliciesSecurityAdda uniqueNamefor the rule in theGeneraltab.
- In theSourcetab,Addthe zone for the PGW-U-SGi (or GGSN-U-Gi) as theSource Zone. If you use an IP pool for the UE IP address, add the IP pool as theSource Address.
- In theDestinationtab,AddtheDestination Zoneof the data network and theDestination AddressasAny.
- In theApplicationtab,Addas theApplicationtypes asAny.
- In theService/URL Categorytab, select theServicetype asAny.
- In theActionstab, selectAllowas theAction.
- Attach theMobile Network Protection profileto the Security policy rule by selectingProfilesand selecting the profile as theProfile Type.
- SelectLog at Session Endif it's not already selected.
- Confirm that youEnabledthe profile () andPoliciesSecuritySecurity Policy RuleActionsProfile SettingMobile Network ProtectionCommitthe changes.
- Verify your configuration is correct.
- Verify the session traffic on the firewall logs using the following CLI commands.
- show session all filter application gtpv2-corshow session all filter application gtpv1-c
- show session all filter application gtp-u
- show session all filter source<IP address of UE>
- Verify the mappings on the firewall displaygtpas the source (src) using theshow ueip allCLI command.
- View the GTP logs () and verify that theMonitorLogsGTPGTP Event TypedisplaysUEIP mapping startandUEIP mapping end.
- Verify the UE Traffic logs () display the IMSI or IMEI in theMonitorLogsTrafficSubscriber Identitycolumn for the UE traffic.