Applying IPS signatures to IP packets within GTP-U tunnels

GTP-U (GTP user data tunnelling) tunnels carry user data packets, signalling messages and error information. GTP-U uses UDP port 2152. Carrier-enabled FortiGate units can apply IPS intrusion protection and detection to GTP-U user data sessions.

To apply IPS to GTP-U user data sessions, add an IPS Sensor to a profile and add the profile to a security policy that accepts GTP-U tunnels. The security policy Service field must be set to GTP or ANY to accept GTP-U packets.

The Carrier-enabled FortiGate unit intercepts packets with destination port 2152, removes the GTP header and handles the packets as regular IP packets. Applying an IPS sensor to the IP packets, the Carrier-enabled FortiGate unit can log attacks and pass or drop packets depending on the configuration of the sensor.

If the packet is GTP-in-GTP, or a nested tunnel, the packets are passed or blocked without being inspected.

To apply an IPS sensor to GTP-U tunnels

1. Go to Security Profiles > Intrusion Protection and select Create New (+) to add an IPS Sensor.

2. Configure the IPS Sensor to detect attacks and log, drop, or pass attack packets.

See the Intrusion Protection section of the FortiOS UTM Guide.

3. Go to Policy & Objects > IPv4 Policy and apply the IPS sensor to the security policy.

4. Go to Policy & Objects > IPv4 Policy and select Create New to add a security policy or select a security policy.

5. Configure the security policy to accept GTP traffic.

In the security policy configure the source and destination settings to match the GTP traffic. Service to

GTP or ANY so that the security policy accepts GTP traffic.

6. Select the GTP profile within the security policy.

7. Configure any other required security policy settings.

8. Select OK to save the security policy.