FortiCarrier Web Based Manager Settings

Adding an advanced filtering rule

When adding a rule, use the following formats:

  • Prefix, for example, range 31* for MCC matches MCC from 310 to 319. l Range, for example, range 310-319 for MCC matches MCC from 310 to 319.
  • Mobile Country Code (MCC) consists of three digits. The MCC identifies the country of domicile of the mobile subscriber.
  • Mobile Network Code (MNC) consists of two or three digits for GSM/UMTS applications. The MNC identifies the home PLMN of the mobile subscriber. The length of the MNC (two or three digits) depends on the value of the MCC. Best practices dictate not to mix two and three digit MNC codes within a single MCC area. l Location Area Code (LAC) is a fixed length code (of 2 octets) identifying a location area within a PLMN. This part of the location area identification can be coded using a full hexadecimal representation except for the following reserved hexadecimal values: 0000 and FFFE. These reserved values are used in some special cases when no valid LAI exists in the MS (see 3GPP TS 24.008, 3GPP TS 31.102 and 3GPP TS 51.011).
  • Routing Area Code (RAC) of a fixed length code (of 1 octet) identifies a routing area within a location. l CI or SAC of a fixed length of 2 octets can be coded using a full hexadecimal expression.
  • Type Allocation Code (TAC) has a length of 8 digits.
  • Serial Number (SNR) is an individual serial number identifying each equipment within each TAC. SNR has a length of 6 digits. l Software Version Number (SVN) identifies the software version number of the mobile equipment. SVN has a length of 2 digits.

Information Element (IE) removal policy options

In some roaming scenarios, the unit is installed on the border of the PLMN and the GRX. In this configuration, the unit supports information element (IE) removal policies to remove any combination of R6 IEs (RAT, RAI, ULI, IMEI-SV and APN restrictions) from the types of messages described in “Advanced filtering options”, prior to forwarding the messages to the HGGSN (proxy mode).

IE removal policy
Enable Select to enable this option.
SGSN address of message

IE

The firewall address or address group that contains the SGSN addresses.
IEs to be removed The IE types that will be removed. These include APN Restriction, RAT, RAI, ULI, and IMEI.
Add Adds an IE removal policy. When you select Add, the New window appears, which allows you to configure the IE policy.
Edit Modifies settings from within the IE removal policy. When you select Edit, the Edit window appears, which allows you to modify the settings within the policy.
Delete Removes the IE removal policy from the list.
New IE policy page
SGSN address Select a firewall address or address group that contains SGSN addresses.
IEs to be removed Select one or more IE types to be removed. These include APN Restriction, RAT, RAI, ULI, and IMEI.

Encapsulated IP traffic filtering options

You can use encapsulated IP traffic filtering to filter GTP sessions based on information contained in the data stream. to control data flows within your infrastructure. You can configure IP filtering rules to filter encapsulated IP traffic from mobile stations by identifying the source and destination policies. For more information, see When to use encapsulated IP traffic filtering.

Expand Encapsulated IP Traffic Filtering in the GTP profile to reveal the options.

Encapsulated IP Traffic Filtering
Enable IP Filter                      Select to enable encapsulated IP traffic filtering options.
Default IP Action Select the default action for encapsulated IP traffic filtering. If you select Allow, all sessions are allowed except those blocked by individual encapsulated IP traffic filters. If you select Deny, all sessions are blocked except those allowed by individual encapsulated IP traffic filters.
Select a source IP address from the configured firewall IP address or

Source                                   address group lists. Any encapsulated traffic originating from this IP address will be a match if the destination also matches.

Destination                             Select a destination IP address from the configured firewall IP address or address group lists. Any encapsulated traffic being sent to this IP address will be a match if the destination also matches.
The type of action that will be taken.

Action

Select to Allow or Deny encapsulated traffic between this source and Destination.

Edit                                        Modifies the source, destination or action settings.
Adds a new encapsulated IP traffic filter. When you select Add IP Policy,

Add IP Policy the New window appears which allows you to configure IP policy settings.

New (window)
Source                                  Select the source firewall address or address group.
Destination                            Select the destination firewall address or address group.
Action                                    Select Allow or Deny.

Encapsulated non-IP end user traffic filtering options

Depending on the installed environment, it may be beneficial to detect GTP packets that encapsulate non-IP based protocols. You can configure the FortiOS Carrier firewall to permit a list of acceptable protocols, with all other protocols denied.

The encoded protocol is determined in the PDP Type Organization and PDP Type Number fields within the End User Address Information Element. The PDP Type Organization is a 4-bit field that determines if the protocol is part of the ETSI or IETF organizations. Values are zero and one, respectively. The PDP Type field is one byte long. Both GTP specifications list only PPP, with a PDP Type value of one, as a valid ETSI protocol. PDP Types for the IETF values are determined in the “Assigned PPP DLL Protocol Numbers” sections of RFC1700. The PDP types are compressed, meaning that the most significant byte is skipped, limiting the protocols listed from 0x00 to 0xFF.

Encapsulated Non-IP End User Address Filtering
Enable Non-IP Filter                Select to enable encapsulated non-IP traffic filtering.
Default Non-IP Action Select the default action for encapsulated non-IP traffic filtering. If you select Allow, all sessions are allowed except those blocked by individual encapsulated non-IP traffic filters. If you select Deny, all sessions are blocked except those allowed by individual encapsulated non-IP traffic filters.
Type                                      The type chosen, AESTI or IETF.
Start Protocol                        The beginning protocol port number range.
End Protocol                          The end of the protocol port number range.
Action                                    The type of action that will be taken.
Modify a non-IP filter’s settings in the list. When you select Edit, the Edit

Edit window appears, which allows you to modify the Non-IP policy settings.

Delete                                    Remove a non-IP policy from the list.
Add a new encapsulated non-IP traffic filter. When you select Add Non-IP

Add Non-IP Policy

Policy, you are automatically redirected to the New page.

New (window)
Type                                      Select AESTI or IETF.
Start Protocol                        Select a start and end protocol from the list of protocols in RFC 1700.

Allowed range includes 0 to 255 (0x00 to 0xff). Some common protocols

End Protocol                          include:

•  33 (0x0021)   Internet Protocol

•  35 (0x0023)   OSI Network Layer

•  63 (0x003f)    NETBIOS Framing

•  65 (0x0041)   Cisco Systems

•  79 (0x004f)    IP6 Header Compression

•  83 (0x0053)   Encryption

Action                                    Select Allow or Deny.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To Buy Your Fortinet Hardware From The Fortinet GURU

Leave a Reply

Name *
Email *
Website

This site uses Akismet to reduce spam. Learn how your comment data is processed.