Focus

PAN-OS Web Interface Reference

Objects > Security Profiles > GTP Protection

Table of Contents

Objects > Security Profiles > GTP Protection

The GTP Protection profile enables the firewall to inspect GTP traffic. To view this profile, you must enable GTP Security in Device > Setup > Management.

The options in the profile allow you to enable stateful inspection of GTP v1-C, GTP v2-C, and GTP-U, enable protocol validation for GTPv1-C, GTP v2-C and GTP-U, enable GTP-U content inspection to scan user data within GTP-U tunnels. It also allows you to filter GTP sessions based on APN, IMSI-Prefix, and RAT, and prevent end-user IP address spoofing to protect the mobile subscribers from being overbilled.

GTP Inspection Profile Settings
GTP Inspection
GTP-C	Select Stateful Inspection to enable the firewall to inspect GTPv1-C or GTPv2-C or both. When you enable stateful inspection, the firewall uses the source IP, source port, destination IP, destination port, protocol, and the Tunnel Endpoint IDs (TEID) to keep track of a GTP session. It also checks and validates the order of the different types of GTP messages that are used to establish a GTP tunnel. The TEID uniquely identifies the GSN tunnel endpoints. The tunnels for an uplink and a downlink are separate and use a different TEID. Select the Action—Block or Alert—that the firewall takes upon a validity check failure. The alert action allows the traffic but generates a log; block action denies the traffic and generates a log. Specify the validity checks that the firewall must perform on a GTP header and the Information Elements (IE) in a payload. The firewall uses the block or alert action you select below for handling the error. You can configure the firewall to validate: Reserved IE—Checks for the GTPv1-C or GTPv2-C messages that use reserved IE values. Out of Order IE (GTPv1-C only)—Checks that the order of IEs in GTPv1-C messages is accurate. Length of IE—Checks for the GTPv1-C or GTPv2-C messages with invalid IE length. Reserved field in header—Checks for malformed packets that use invalid values or reserved values in a header. Unsupported message type—Checks for unknown or incorrect message types.
GTP-U	Enabling stateful inspection for either GTPv1-C and/or GTPv20C, automatically enables GTPU-U stateful inspection. You can specify the following validity checks for GTP-U payloads. Reserved IE—Checks for the GTP-U messages that use reserved IE values in the payload. Out of order IE—Checks that the order of the IEs in GTP-U messages is correct. Length of IE—Checks for messages with invalid IE length. Reserved field in header—Checks for malformed packets that use invalid values or reserved values in a header. Unsupported message type—Checks for unknown or incorrect message types. In addition you can also configure an allow, block or alert action for: End User IP Address Spoofing—Configure the firewall to block or alert when the source IP address in a GTP-U packet from the subscriber user equipment is not the same as the IP address in the corresponding GTP-C message exchanged during tunnel set up. GTP-in-GTP—You can configure the firewall to block or alert when it detects a GTP-in-GTP message. Upon detection, the firewall generates a GTP log with critical severity. Enable GTP-U Content Inspection if you want to inspect and apply policy to the user data payload within a GTP-U packet. Inspecting GTP-U content allows you to correlate IMSI and IMEI information learned from GTP-C messages with the IP traffic encapsulated in GTP-U packets.
Filtering Options
RAT Filtering	By default all Radio Access Technologies (RAT) are allowed. GTP-C Create-PDP-Request and Create-Session-Request messages are filtered or allowed based on the RAT filter. You can specify whether to allow, block or alert on the following Remote Access Technologies (RAT) that the user equipment uses to access the mobile core network: UTRAN GERAN WLAN GAN HSPA Evolution EUTRAN Virtual EUTRAN-NB-IoT
IMSI Filtering	IMSI (International Mobile Subscriber Identity) is a unique identification associated with a subscriber in GSM, UMTS and LTE networks that is provisioned in the Subscriber Identity Module (SIM) card. An IMSI is usually presented as a 15 digit long number (8 byte), but can be shorter. IMSI is composed of three parts: Mobile Country Code (MCC) consisting of three digits. The MCC identifies uniquely the country of domicile of the mobile subscriber. Mobile Network Code (MNC) consisting of two or three digits; two digits European standard or three digits North American standard. The MNC identifies the home PLMN of the mobile subscriber. Mobile Subscriber Identification Number (MSIN) identifying the mobile subscriber within a PLMN. The IMSI Prefix combines the MCC and MNC and allows you to allow, block, or alert GTP traffic from a specific PLMN. By default all IMSI are allowed. You can either manually enter or import a csv file with IMSI or IMSI prefixes into the firewall. The IMSI can include wildcards, for example, 310* or 240011*. The firewall supports a maximum of 5000 IMSI or IMSI prefixes.
APN Filtering	The Access Point Name (APN) is a reference to a GGSN/ PGW that a user equipment requires to connect to the Internet. The APN is composed of two parts: APN Network Identifier that defines the external network to which the GGSN/PGW is connected and optionally a requested service by the mobile station. This part of the APN is mandatory. APN Operator Identifier that defines in which PLMN GPRS/EPS backbone the GGSN/PGW is located. This part of the APN is optional. By default all APNs are allowed. The APN filter allows you to allow, block, or alert GTP traffic based on the APN value. GTP-C Create-PDP-Request and Create-Session-Request messages are filtered or allowed based on the rules defined for APN filtering. You can manually add or import an APN filtering list into the firewall. The value for the APN must include the network ID or the domain name of the network (for example, example.com) and, optionally, the operator ID. For APN filtering, the wildcard '' allows you to match for all APN. A combination of '' and other characters is not supported for wildcards. For example, "internet.mnc* " is treated as a regular APN and will not filter all entries that start with internet.mnc.. The firewall supports a maximum of 1000 APN filters.
GTP Tunnel Limits
Max Concurrent Tunnels Allowed per Destination	Allows you to limit the maximum number of GTP-U tunnels to a destination IP address, for example to the GGSN. Range: 0 to 100000000 tunnels.
Alert at Max Concurrent Tunnels per Destination	Specify the threshold at which the firewall triggers an alert when the number of maximum GTP-U tunnels to a destination have been established. A GTP log message of high severity is generated when the configured tunnel limit is reached.
Logging frequency	The number of events that the firewall counts before it generates a log when the configured GTP tunnel limits are exceeded. This setting allows you to reduce the volume to messages logged. Default: 100; range: 1-100000000
Overbilling Protection	Select the virtual system that serves as the Gi/ SGi firewall on your firewall. The Gi/ SGi firewall inspects the mobile subscriber IP traffic traversing over the Gi/ SGi interface from the PGW/ GGSN to the external PDN (packet data network) such as the internet and secures internet access for mobile subscribers. Overbilling can occur when a GGSN assigns a previously used IP address from the End User IP address pool to a mobile subscriber. When a malicious server on the internet continues to send packets to this IP address as it did not close the session initiated for the previous subscriber and the session is still open on the Gi Firewall. To disallow data from being delivered, whenever a GTP tunnel is deleted (detected by delete-PDP or delete-session message) or timed-out, the firewall enabled for overbilling protection notifies the Gi/ SGi firewall to delete all the sessions that belong to the subscriber from the session table. GTP Security and SGi/ Gi firewall should be configured on the same physical firewall, but can be in different virtual systems. In order to delete sessions based on GTP-C events, the firewall needs to have all the relevant session information and this is possible only when you manage traffic from the SGi + S11 or S5 interfaces for GTPv2 and Gi + Gn interfaces for GTPv1 in the mobile core network.
Other Log Settings By default the firewall does not log allowed GTP messages. You can selectively enable logging of allowed GTP messages for troubleshooting when needed as it will generate high volume of logs. In addition to allowed log messages, this tab also allows you to selectively enable logging of user location information.
GTPv1-C Allowed Messages	Allows you to selectivity enable logging of the allowed GTPv1-C messages, if you have enabled stateful inspection for GTPv1?C. These messages generate logs to help you troubleshoot issues as needed. By default, the firewall does not log allowed messages. The logging options for allowed GTPv1-C messages are: Tunnel Management—These GTPv1-C messages are used to manage the GTP-U tunnels, which carry encapsulated IP packets and signaling messages between a given pair of network nodes like SGSN and GGSN. It includes messages such as Create PDP Context Request, Create PDP Context Response, Update PDP Context Request, Update PDP Context Response, Delete PDP Context Request, Delete PDP Context Response. Path Management—These GTPv1?C messages are typically sent by the GSN or Radio Network Controller (RNC) to the other GSN or RNC to find out if the peer is alive. It includes messages such as Echo Request/Response. Others—These messages include location management, mobility management, RAN information management, and Multimedia Broadcast Multicast Service (MBMS) messages.
Log User Location	Allows you to include the user location information, such as area code and Cell ID, in GTP logs.
Packet Capture	Allows you to capture GTP events.
GTPv2-C Allowed Messages	Allows you to selectively enable logging of the allowed GTPv2-C messages, if you have enabled stateful inspection for GTPv2-C. These messages generate logs to help you troubleshoot issues as needed. By default, the firewall does not log allowed messages. The logging options for allowed GTPv2-C messages are: Tunnel Management—These GTPv2-C messages are used to manage the GTP-U tunnels, which carry encapsulated IP packets and signaling messages between a given pair of network nodes such as the SGW and PGW. It includes the following types of messages: Create Session Request, Create Session Response, Create Bearer Request, Create Bearer Response, Modify Bearer Request, Modify Bearer Response, Delete Session Request, Delete Session Response. Path Management—These GTPv2-C messages are typically sent by network node like the SGW or PGW to the other PGW, SGW to find out of the peer is alive. It includes messages such as Echo Request/Response. Others—These messages include mobility management and Non-3GPP access related messages.
GTP-U Allowed Messages	Allows you to selectively enable logging of the allowed GTP-U messages, if you have enabled stateful inspection for GTPv2?C and/ or GTPv1-C. These messages generate logs to help you troubleshoot issues as needed. The logging options for allowed GTP-U messages are: Tunnel Management—These are GTP-U signaling messages such as Error Indication. Path Management—These GTP-U messages are sent by a network node (such as eNodeB) to another network node (such as SGW) to find out if the peer is alive. It includes messages such as Echo Request/Response. G-PDU—G-PDU (GTP-U PDU) is used for carrying user data packets within the network nodes in the mobile core network; it consists of a GTP header plus a T-PDU.
G-PDU Packets Logged per New GTP-U Tunnel	Enable this option to verify that the firewall is inspecting GTP-U PDUs. The firewall generates a log for the specified number of G-PDU packets in each new GTP-U tunnel. Default: 1; range: 1-10.

Objects > Security Profiles > DoS Protection

Objects > Security Profiles > SCTP Protection