Configuring GTP on FortiOS Carrier
Configuring GTP support on FortiOS Carrier involves configuring a number of areas of features. Some features require longer explanations, and have their own chapters. The other features are addressed here.
- GTP support on the Carrier-enabled FortiGate unit
- Configuring General Settings on the Carrier-enabled FortiGate unit
- Configuring Encapsulated Filtering in FortiOS Carrier Configuring the Protocol Anomaly feature in FortiOS Carrier Configuring Anti-overbilling in FortiOS Carrier
- Logging events on the Carrier-enabled FortiGate unit
GTP support on the Carrier-enabled FortiGate unit
The FortiCarrier unit needs to have access to all traffic entering and exiting the carrier network for scanning, filtering, and logging purposes. This promotes one of two configurations — hub and spoke, or bookend.
A hub and spoke configuration with the Carrier-enabled FortiGate unit at the hub and the other GPRS devices on the spokes is possible for smaller networks where a lower bandwidth allows you to divide one unit into multiple virtual domains to fill multiple roles on the carrier network. It can be difficult with a single FortiOS Carrier as the hub to ensure all possible entry points to the carrier network are properly protected from potential attacks such as relayed network attacks.
A bookend configuration uses two Carrier-enabled FortiGate units to protect the carrier network between them with high bandwidth traffic. One unit handles traffic from mobile stations, SGSNs, and foreign carriers. The other handles GGSN and data network traffic. Together they ensure the network is secure.
The Carrier-enabled FortiGate unit can access all traffic on the network. It can also verify traffic between devices, and verify that the proper GPRS interface is being used. For example there is no reason for a Gn interface to be used to communicate with a mobile station — the mobile station will not know what to do with the data — so that traffic is blocked.
When you are configuring your Carrier-enabled FortiGate unit’s GTP profile, you must first configure the APN. It is critical to GTP communications — no traffic will flow without the APN.
The Carrier-enabled FortiGate unit does more than just forward and route GTP packets over the network. It also performs:
- Packet sanity checking
- GTP stateful inspection
- Protocol anomaly detection and prevention
- HA
- Virtual domain support
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!