FortiCarrier Anti-Overbilling options

Anti-Overbilling options

You can configure the FortiOS Carrier firewall to prevent over billing subscribers for traffic over the. To enable anti-overbilling, you must configure both the Gn/Gp firewall and the Gi firewall.

Expand Anti-Overbilling in the GTP profile to reveal these settings.

Anti-Overbilling
Gi Firewall IP Address The IP address of the unit’s interface configured as a Gi gateway.
Port The SG security port number. The default port number is port 21123. Change this number if your system uses a different SG port.
Interface Select the unit interface configured as a Gi gateway.
Security Context ID Enter the security context ID. This ID must match the ID entered on the server Gi firewall. The default security context ID is 696.

Log options

All the GTP logs are treated as a subtype of the event logs. To enable GTP logging, you must:

l configure the GTP log settings in a GTP profile

Log
Log Frequency Enter the number of messages to drop between logged messages.

An overflow of log messages can sometimes occur when logging ratelimited GTP packets exceed their defined threshold. To conserve resources on the syslog server and the Carrier-enabled FortiGate unit, you can specify that some log messages are dropped. For example, if you want only every twentieth message to be logged, set a logging frequency of 20. This way, 20 messages are skipped and the next logged.

Acceptable frequency values range from 0 to 2147483674. When set to ‘0’, no messages are skipped.

Forwarded Log Select to log forwarded GTP packets.
Denied Log Select to log GTP packets denied or blocked by this GTP profile.
Rate Limited Log Select to log rate-limited GTP packets.
State Invalid Log Select to log GTP packets that have failed stateful inspection.
Tunnel Limit Log Select to log packets dropped because the maximum limit of GTP tunnels for the destination GSN is reached.
Extension Log Select to log extended information about GTP packets. When enabled, this additional information will be included in log entries:

•  IMSI

•  MSISDN

•  APN

•  Selection Mode

•  SGSN address for signaling

•  SGSN address for user data

•  GGSN address for signaling

•  GGSN address for user data

Traffic count Log Select to log the total number of control and user data messages received from and forwarded to the GGSNs and SGSNs that the unit protects.

The unit can report the total number of user data and control messages received from and forwarded to the GGSNs and SGSNs it protects. Alternately, the total size of the user data and control messages can be reported in bytes. The unit differentiates between traffic carried by each GTP tunnel, and also between GTP-User and GTP-Control messages.

The number of messages or the number of bytes of data received from and forwarded to the SGSN or GGSN are totaled and logged if a tunnel is deleted.

When a tunnel is deleted, the log entry contains:

•  Timestamp

•  Interface name (if applicable)

•  SGSN IP address

•  GGSN IP address

•  TID

•  Tunnel duration time in seconds

•  Number of messages sent to the SGSN

•  Number of messages sent to the GGSN

Specifying logging types

You can configure the unit to log GTP packets based on their status with GTP traffic logging.

The status of a GTP packet can be any of the following 5 states:

  • Forwarded – a packet that the unit transmits because the GTP policy allows it l Prohibited – a packet that the unit drops because the GTP policy denies it l Rate-limited – a packet that the unit drops because it exceeds the maximum rate limit of the destination GSN l State-invalid – a packet that the unit drops because it failed stateful inspection l Tunnel-limited – a packet that the unit drops because the maximum limit of GTP tunnels for the destination GSN is reached.

The following information is contained in each log entry:

  • Timestamp l Source IP address l Destination IP address l Tunnel Identifier (TID) or Tunnel Endpoint Identifier (TEID) l Message type
  • Packet status: forwarded, prohibited, state-invalid, rate-limited, or tunnel-limited l Virtual domain ID or name l Reason to be denied if applicable.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in FortiCarrier on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.