Objects > Security Profiles > GTP Protection
Table of Contents
9.1 (EoL)
Expand all | Collapse all
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > GTP Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Decryption > Forwarding Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > VLANs
- Network > Virtual Wires
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Device Block List
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Scheduled Config Export
End-of-Life (EoL)
Objects > Security Profiles > GTP Protection
The GTP Protection profile enables the firewall to inspect
GTP traffic. To view this profile, you must enable GTP Security
in Device
> Setup > Management.
The options in the profile allow you to enable stateful inspection
of GTP v1-C, GTP v2-C, and GTP-U, enable protocol validation for
GTPv1-C, GTP v2-C and GTP-U, enable GTP-U content inspection to
scan user data within GTP-U tunnels. It also allows you to filter
GTP sessions based on APN, IMSI-Prefix, and RAT, and prevent end-user
IP address spoofing to protect the mobile subscribers from being
overbilled.
GTP Inspection Profile Settings | |
---|---|
GTP Inspection | |
GTP-C |
|
GTP-U | Enabling stateful inspection for either
GTPv1-C and/or GTPv20C, automatically enables GTPU-U stateful inspection. You
can specify the following validity checks for GTP-U payloads.
In addition you can also
configure an allow, block or alert action for:
|
Filtering Options | |
RAT Filtering | By default all Radio Access Technologies
(RAT) are allowed. GTP-C Create-PDP-Request and Create-Session-Request
messages are filtered or allowed based on the RAT filter. You can
specify whether to allow, block or alert on the following Remote
Access Technologies (RAT) that the user equipment uses to access
the mobile core network:
|
IMSI Filtering | IMSI (International Mobile Subscriber Identity)
is a unique identification associated with a subscriber in GSM,
UMTS and LTE networks that is provisioned in the Subscriber Identity
Module (SIM) card. An IMSI is usually presented as a 15 digit
long number (8 byte), but can be shorter. IMSI is composed of three
parts:
The IMSI
Prefix combines the MCC and MNC and allows you to allow, block,
or alert GTP traffic from a specific PLMN.
By default all IMSI are allowed. You can either manually enter
or import a csv file with IMSI or IMSI prefixes into the firewall.
The IMSI can include wildcards, for example, 310* or 240011*. The
firewall supports a maximum of 5000 IMSI or IMSI prefixes. |
APN Filtering | The Access Point Name (APN) is a reference
to a GGSN/ PGW that a user equipment requires to connect to the
Internet. The APN is composed of two parts:
By
default all APNs are allowed. The APN filter allows you to allow,
block, or alert GTP traffic based on the APN value. GTP-C Create-PDP-Request
and Create-Session-Request messages are filtered or allowed based
on the rules defined for APN filtering. You can manually add
or import an APN filtering list into the firewall. The value for
the APN must include the network ID or the domain name of the network
(for example, example.com) and, optionally, the operator ID. For
APN filtering, the wildcard '*' allows you to match for all APN.
A combination of '*' and other characters is not supported for wildcards.
For example, "internet.mnc* " is treated as a regular APN and will
not filter all entries that start with internet.mnc.. The
firewall supports a maximum of 1000 APN filters. |
GTP Tunnel Limits | |
Max Concurrent Tunnels Allowed per Destination | Allows you to limit the maximum number of
GTP-U tunnels to a destination IP address, for example to the GGSN. Range:
0 to 100000000 tunnels. |
Alert at Max Concurrent Tunnels per Destination | Specify the threshold at which the firewall
triggers an alert when the number of maximum GTP-U tunnels to a
destination have been established. A GTP log message of high severity
is generated when the configured tunnel limit is reached. |
Logging frequency | The number of events that the firewall counts
before it generates a log when the configured GTP tunnel limits
are exceeded. This setting allows you to reduce the volume to messages logged. Default:
100; range: 1-100000000 |
Overbilling Protection | Select the virtual system that serves as
the Gi/ SGi firewall on your firewall. The Gi/ SGi firewall inspects
the mobile subscriber IP traffic traversing over the Gi/ SGi interface
from the PGW/ GGSN to the external PDN (packet data network) such
as the internet and secures internet access for mobile subscribers. Overbilling
can occur when a GGSN assigns a previously used IP address from
the End User IP address pool to a mobile subscriber. When a malicious
server on the internet continues to send packets to this IP address
as it did not close the session initiated for the previous subscriber
and the session is still open on the Gi Firewall. To disallow data
from being delivered, whenever a GTP tunnel is deleted (detected by
delete-PDP or delete-session message) or timed-out, the firewall enabled
for overbilling protection notifies the Gi/ SGi firewall to delete all
the sessions that belong to the subscriber from the session table. GTP
Security and SGi/ Gi firewall should be configured on the same physical
firewall, but can be in different virtual systems. In order to delete
sessions based on GTP-C events, the firewall needs to have all the
relevant session information and this is possible only when you manage
traffic from the SGi + S11 or S5 interfaces for GTPv2 and Gi + Gn
interfaces for GTPv1 in the mobile core network. |
Other Log Settings By
default the firewall does not log allowed GTP messages. You can
selectively enable logging of allowed GTP messages for troubleshooting
when needed as it will generate high volume of logs. In addition
to allowed log messages, this tab also allows you to selectively
enable logging of user location information. | |
GTPv1-C Allowed Messages | Allows you to selectivity enable logging
of the allowed GTPv1-C messages, if you have enabled stateful inspection
for GTPv1?C. These messages generate logs to help you troubleshoot
issues as needed. By default, the firewall does not log allowed
messages. The logging options for allowed GTPv1-C messages are:
|
Log User Location | Allows you to include the user location
information, such as area code and Cell ID, in GTP logs. |
Packet Capture | Allows you to capture GTP events. |
GTPv2-C Allowed Messages | Allows you to selectively enable logging
of the allowed GTPv2-C messages, if you have enabled stateful inspection
for GTPv2-C. These messages generate logs to help you troubleshoot
issues as needed. By default, the firewall does not log allowed
messages. The logging options for allowed GTPv2-C messages are:
|
GTP-U Allowed Messages | Allows you to selectively enable logging
of the allowed GTP-U messages, if you have enabled stateful inspection
for GTPv2?C and/ or GTPv1-C. These messages generate logs to help
you troubleshoot issues as needed. The logging options for
allowed GTP-U messages are:
|
G-PDU Packets Logged per New GTP-U Tunnel | Enable this option to verify that the firewall
is inspecting GTP-U PDUs. The firewall generates a log for the specified
number of G-PDU packets in each new GTP-U tunnel. Default:
1; range: 1-10. |