If you experienced any downtime I apologize. I managed to put a character where it shouldn’t have been on the back end and it caused the site to display Server 500 errors. Everything should be back up and running now though.
Troubleshooting
This section offers troubleshooting options for Carrier-related issues.
This section includes:
FortiOS Carrier diagnose commands
Applying IPS signatures to IP packets within GTP-U tunnels
GTP packets are not moving along your network
FortiOS Carrier diagnose commands
This section includes diagnose commands specific to FortiOS Carrier features such as GTP.
GTP related diagnose commands
This CLI command allows you to gain information on GTP packets, logs, statistics, and other information.
diag firewall gtp <command>
| apn list <gtp_profile> | The APN list entries in the specified GTP profile |
| auth-ggsns show <gtp_profile> | The authorized GGSNs entries for the specified GTP profile. Any GGSNs not on this list will not be recognized. |
| auth-sgsns show <gtp_profile> | The authorized SGSNs list entries for the specified GTP profile. Any SGSNs not on this list will not be recognized. |
| handover-grp show <gtp_
profile> |
The handover group showing the range of allowed handover group IP addresses. The handover group acts like a whitelist of allowed GTP addresses with a default deny at the end — if the GTP address is not on the list, it is denied. |
| ie-remove-policy list <gtp_ profile> | List of IE policies in the IE removal policy for this GTP profile. The information displayed includes the message count for this policy, the length of the SGSN, the list of IEs, and list of SGSN IP addresses. |
| imsi list <gtp_profile> | IMSI filter entries for this GTP profile. The information displayed includes the message count for this filter, length of the IMSI, the length of the APN and IMSI, and of course the IMSI and APN values. |
| invalid-sgsns-to-long list <gtp_ profile> | List of SGSNs that do not match the filter criteria. These SGSNs will be logged. |
| ip-policy list <gtp_profile> | List the IP policies including message count for each policy, the action to take, the source and destination IP addresses or ranges, and masks. |
Applying IPS signatures to IP packets within GTP-U tunnels
| noip-policy <gtp_profile> | List the non-IP policies including the message count, which mode, the action to take, and the start and end protocols to be used by decimal number. |
| path {list | flush} | Select list or flush.
List the GTP related paths in FortiOS Carrier memory. Flush the GTP related paths from memory. |
| policy list <gtp_policy> | The GTP advanced filter policy information for this GTP profile. The information displayed for each entry includes a count for messages matching this filter, a hexidecimal mask of which message types to match, the associated flags, action to take on a match, APN selection mode, MSISDN, RAT types, RAI, ULI, and IMEI. |
| profile list | Displays information about the configured GTP profiles.
You will not be able to see the bulk of the information if you do not log the output to a file. |
| runtime-stat flush | Select to flush the GTP runtime statistics from memory. |
| stat | Display the GTP runtime statistics — details on current GTP activity. This information includes how many tunnels are active, how many GTP profiles exist, how many IMSI filter entries, how many APN filter entries, advanced policy filter entries, IE remove policy filter entries, IP policy filter entries, clashes, and dropped packets. |
| tunnel {list | flush} | Select one of list or flush.
List lists all the GTP tunnels currently active. Flush clears the list of active GTP tunnels. This does not clear the clash counter displayed in the stat command. |
Configuring GTP on FortiOS Carrier
Configuring GTP support on FortiOS Carrier involves configuring a number of areas of features. Some features require longer explanations, and have their own chapters. The other features are addressed here.
GTP support on the Carrier-enabled FortiGate unit
Configuring General Settings on the Carrier-enabled FortiGate unit
Configuring Encapsulated Filtering in FortiOS Carrier
Configuring the Protocol Anomaly feature in FortiOS Carrier
Configuring Anti-overbilling in FortiOS Carrier
Logging events on the Carrier-enabled FortiGate unit
GTP support on the Carrier-enabled FortiGate unit
The FortiCarrier unit needs to have access to all traffic entering and exiting the carrier network for scanning, filtering, and logging purposes. This promotes one of two configurations — hub and spoke, or bookend.
A hub and spoke configuration with the Carrier-enabled FortiGate unit at the hub and the other GPRS devices on the spokes is possible for smaller networks where a lower bandwidth allows you to divide one unit into multiple virtual domains to fill multiple roles on the carrier network. It can be difficult with a single FortiOS Carrier as the hub to ensure all possible entry points to the carrier network are properly protected from potential attacks such as relayed network attacks.
A bookend configuration uses two Carrier-enabled FortiGate units to protect the carrier network between them with high bandwidth traffic. One unit handles traffic from mobile stations, SGSNs, and foreign carriers. The other handles GGSN and data network traffic. Together they ensure the network is secure.
The Carrier-enabled FortiGate unit can access all traffic on the network. It can also verify traffic between devices, and verify that the proper GPRS interface is being used. For example there is no reason for a Gn interface to be used to communicate with a mobile station — the mobile station will not know what to do with the data — so that traffic is blocked.
When you are configuring your Carrier-enabled FortiGate unit’s GTP profile, you must first configure the APN. It is critical to GTP communications — no traffic will flow without the APN.
GTP support on the Carrier-enabled FortiGate unit
The Carrier-enabled FortiGate unit does more than just forward and route GTP packets over the network. It also performs:
Packet sanity checking
The FortiOS Carrier firewall checks the following items to determine if a packet confirms to the UDP and GTP standards:
If the packet in question does not confirm to the standards, the FortiOS Carrier firewall drops the packet, so that the malformed or forged traffic will not be processed.
GTP stateful inspection
Apart from the static inspection (checking the packet header), the FortiOS Carrier firewall performs stateful inspection.
Stateful inspection provides enhanced security by keeping track of communications sessions and packets over a period of time. Both incoming and outgoing packets are examined. Outgoing packets that request specific types of incoming packets are tracked; only those incoming packets constituting a proper response are allowed through the firewall.
The FortiOS Carrier firewall can also index the GTP tunnels to keep track of them.
Using the enhanced Carrier traffic policy, the FortiOS Carrier firewall can block unwanted encapsulated traffic in GTP tunnels, such as infrastructure attacks. Infrastructure attacks involve attempts by an attacker to connect to restricted machines, such as GSN devices, network management systems, or mobile stations. If these attmpts to connect are detected, they are to be flagged immediately by the firewall .
Message flood protection
The convenience offered by MM1 and MM4 messaging can be abused by users sending spam or attempting to overload the network with an excess of messages. MMS flood prevention can help prevent this type of abuse.
Overview
Setting message flood thresholds
Notifying administrators of floods
Example — three flood threshold levels with different actions for each threshold
Notifying message flood senders and receivers
Viewing DLP archived messages
Order of operations: flood checking before duplicate checking
Bypassing message flood protection based on user’s carrier endpoints
Configuring message flood detection
Sending administrator alert notifications
MMS Security features
FortiOS Carrier includes all the Security features of FortiOS with extra features specific to MMS carrier networks.
This section includes:
Why scan MMS messages for viruses and malware?
MMS virus scanning
Sender notifications and logging
MMS content-based Antispam protection MMS DLP archiving
Why scan MMS messages for viruses and malware?
The requirement for scanning MM1 content comes from the fact that MMS is an increasingly popular technique for propagating malware between mobile devices.
Example: COMMWARRIOR
This is a virus for Series 60 type cell phones, such as Nokia, operating Symbian OS version 6 [or higher]. The object of the virus is to spread to other phones using Bluetooth and MMS as transport avenues. The targets are selected from the contact list of the infected phone and also sought via Bluetooth searching for other Bluetoothenabled devices (phones, printers, gaming devices etc.) in the proximity of the infected phone.
This virus is more than a proof of concept – it has proven successfully its ability to migrate from a zoo collection to being in-the-wild. Currently, this virus is being reported in over 18 different countries around Europe, Asia and North America.
When the virus first infects a cell phone, a prompt is displayed asking the recipient if they want to install “Caribe”. Symptoms of an infected phone may include rapid battery power loss due to constant efforts by the virus to spread to other phones via a Bluetooth seek-and-connect outreach.
The following variants among others are currently scanned by the FortiOS Carrier devices, in addition to more signatures that cover all known threats.
SymbOS/Commwarrior.b!sis, SymbOS/Comwar.B, SymbOS/Comwar.B!wm, SymbOS/Comwar.B-wm, SYMBOS_
COMWAR.B, SymbOS/Comwar.1.0.B!wormSYMBOS/COMWAR.V10B.SP!WORM [spanish version] l First Discovered In The Wild: July 04, 2007 l Impact Level: 1 l Virus Class: Worm l Virus Name Size: 23,320 l SymbOS/Commwar.A!worm
ezboot.A-ne, SymbOS/Comwar.A, SymbOS/Comwar.A-wm, SYMBOS_COMWAR.A [Trend]
For the latest list of threats Fortinet devices detect, visit the FortiGuard Center.
Carrier web-based manager settings
The Carrier menu provides settings for configuring FortiOS Carrier features within the Security Profiles menu. These features include MMS and GTP profiles.
In Security Profiles > Carrier, you can configure profiles and settings for MMS and GTP. In the Carrier menu, you can configure an MMS profile and then apply it to a security policy. You can also configure GTP profiles and apply those to security policies as well.
This topic includes the following:
MMS profiles
Since MMS profiles can be used by more than one security policy, you can configure one profile for the traffic types handled by a set of security policies requiring identical protection levels and types, rather than repeatedly configuring those same profile settings for each individual security policy.
If the security policy requires authentication, do not select the MMS profile in the security policy. This type of profile is specific to the authenticating user group. For details on configuring the profile associated with the user group, see User Groups in the Authentication guide.
For example, while traffic between trusted and untrusted networks might need strict protection, traffic between trusted internal addresses might need moderate protection. To provide the different levels of protection, you might configure two separate protection profiles: one for traffic between trusted networks, and one for traffic between trusted and untrusted networks.
Once you have configured the MMS profile, you can then apply the profile to MMS traffic by applying it to a security policy.
MMS profiles can contain settings relevant to many different services. Each security policy uses the subset of the MMS profile settings that apply to the sessions accepted by the security policy. In this way, you might define just one MMS profile that can be used by many security policies, each policy using a different or overlapping subset of the MMS profile.
The MMS Profile page contains options for each of the following:
l MMS scanning l MMS Bulk Email Filtering Detection l MMS Address Translation l MMS Notifications l DLP Archive l Logging
Introduction
FortiOS Carrier provides all the features found on FortiGate units plus added features specific to carrier networks. These features are explained in this document and include dynamic profiles and groups, Multimedia messaging service (MMS) protection, and GPRS Tunneling Protocol (GTP) protection.
This chapter contains the following sections:
Before you begin
Before you begin ensure that:
How this guide is organized
This FortiOS Handbook chapter contains the following sections:
Overview of FortiOS Carrier features provides an overview of the three major topics for FortiOS Carrier — Dynamic Profiles, MMS, and GTP.
Carrier web-based manager settings describes the web-based manager interface of FortiOS Carrier specific features.
MMS Security features describes FortiOS security features as they apply to MMS including MMS virus scanning, MMS file filtering, MMS content-based Antispam protection, and MMS DLP archiving.
Message flood protection describes setting thresholds to protect your MMS servers from receiving too many messages from the same sender.
Duplicate message protection describes setting thresholds to protect your MMS servers from receiving the same message from more than one sender.
Configuring GTP on FortiOS Carrier explains configuration of the more basic FortiOS Carrier GTP features.
GTP message type filtering explains this feature, and how to configure it on FortiOS Carrier.
GTP identity filtering explains this feature, and how to configure it on FortiOS Carrier.
Troubleshooting provides answer to common FortiOS Carrier GTP issues.
Overview
Overview of FortiOS Carrier features
FortiOS Carrier specific features include Multimedia messaging service (MMS) protection, and GPRS Tunneling Protocol (GTP) protection.
All FortiGate units, carrier-enabled or not, are capable of handling Stream Control Transmission Protocol (SCTP) traffic, which is a protocol designed for and primarily used in Carrier networks.
This section includes:
Overview
Registering FortiOS Carrier
MMS background
How FortiOS Carrier processes MMS messages
MMS protection profiles
Bypassing MMS protection profile filtering based on carrier endpoints
Applying MMS protection profiles to MMS traffic
GTP basic concepts
GPRS network common interfaces
Packet flow through the GPRS network SCTP
Sometimes, after a long day of work, the need to vent is so powerful that you can’t overcome it. Well, today is one of those days so I figured I would bless you guys with a little bit of information. If you use a Dell Sonic Wall…..I pity you for you know not what you do….These devices are horrible. Absolutely horrible. Go buy a FortiGate, or hell, a Palo Alto even just to stay away from these things. I seriously almost shot one today with a Springfield Armory XDS 45 ACP. It would have caused and incredibly warm feeling, like that of morphine flowing through your veins, to be experienced by myself. Speaking of which, I will be filming myself shooting AND blowing up some competitor hardware as I remove them from the client’s offices. I thought you guys might get a kick out of that and lets face it, as soon as I figure out the logistics with doing it legally, I too, will enjoy it. Keep your eyes open for some Fortinet GURU how to videos. Going to start with videos based on the Cook Book, but with better explanations than what Fortinet provided and then I will move on to tasks and encounters I have seen in the field.
Remember kids, friends don’t let friends buy SonicWall.