Configuring advanced filtering in FortiOS Carrier

Configuring advanced filtering in FortiOS Carrier

Compared to ADN or IMSI filtering, advanced filtering is well named. Advanced filtering can be viewed as a catch- all filtering option — if ADN or IMSI filtering doesn’t do what you want, then advanced filtering will. The advanced filtering can use more information elements to provide considerably more granularity for your filtering.

Enable                                        Select to turn on advanced filtering.

Default Action                           Select Allow or Deny as the default action to take when traffic does not match an entry in the advanced filter list .

Messages                                   Optionally select one or more types of messages this filter applies to:

Create PDP Context Request, Create PDP Context Response, Update PDP Context Request, or Update PDP Context Response.

Selecting Create PDP Context Response or Update PDP Context Response limits RAT type to only GAN and HSPA, and disables the APN, APN Mode, IMSI, MSISDN, ULI, RAI, and IMEI fields.

To select Update PDP Context Request, APN Restriction must be set to all. Selecting Update PDP Context Request disables the APN, MSISDN, and IMEI fields.

if all message types are selected, only the RAT Types of GAN and HSPA are available to select.


APN Restriction

APN Restriction either allows all APNs or restricts the APNs to one of four categories — Public-1, Public-2, Private-1, or Private-2. This can also be combined with a specific APN or partial APN as well as specifying the APN mode.

RAT Type                                   Select one or more of the Radio Access Technology Types listed. These fields control how a user accesses the carrier’s network. You can select one or more of UTRAN, GERAN, WLAN, GAN, HSPA, or any.


The user location identifier. Often the ULI is used with the RAI to locate a user geographically on the carrier’s network.

The ULI is disabled when Create PDP Context Response or Update

PDP Context Response messages are selected.

RAI                                              The router area identifier. There is only one SGSN per routing area on a car- rier network. This is often used with ULI to locate a user geographically on

a carrier network.

The RAI is disabled when Create PDP Context Response or Update

PDP Context Response messages are selected.


The International Mobile Equipment Identity. The IMEI uniquely identifies mobile hardware, and can be used to block stolen equipment.

The IMEI is only available when Create PDP Context Request or no mes- sages are selected.

Action                                         Select Allow or Deny as the action when this filter matches traffic.

The default is Allow.

Delete Icon                                 Select to delete this entry from the list.

Edit Icon                                     Select to edit this entry.


Select to add an advanced filter to the list. Not active while creating GTP

profile, only when editing an existing GTP profile.

Save all changes before adding advanced filters. A warning to this effect will be displayed when you select the Add button.


This section offers troubleshooting options for Carrier-related issues. This section includes:

FortiOS Carrier diagnose commands

Applying IPS signatures to IP packets within GTP-U tunnels

GTP packets are not moving along your network


FortiOS Carrier diagnose commands

This section includes diagnose commands specific to FortiOS Carrier features such as GTP.


GTP related diagnose commands

This CLI command allows you to gain information on GTP packets, logs, statistics, and other information.

diag firewall gtp <command>

apn list <gtp_profile>                   The APN list entries in the specified GTP profile

auth-ggsns show <gtp_profile>   The authorized GGSNs entries for the specified GTP profile. Any GGSNs not on this list will not be recognized.

auth-sgsns show <gtp_profile>    The authorized SGSNs list entries for the specified GTP profile. Any SGSNs not on this list will not be recognized.

handover-grp show <gtp_pro- file>

The handover group showing the range of allowed handover group IP addresses. The handover group acts like a whitelist of allowed GTP addresses with a default deny at the end — if the GTP address is not on the list, it is denied.

ie-remove-policy list <gtp_pro- file>

List of IE policies in the IE removal policy for this GTP profile. The inform- ation displayed includes the message count for this policy, the length of the SGSN, the list of IEs, and list of SGSN IP addresses.

imsi list <gtp_profile>

IMSI filter entries for this GTP profile. The information displayed includes the message count for this filter, length of the IMSI, the length of the APN and IMSI, and of course the IMSI and APN values.

invalid-sgsns-to-long list <gtp_


List of SGSNs that do not match the filter criteria. These SGSNs will be logged.

ip-policy list <gtp_profile>            List the IP policies including message count for each policy, the action to take, the source and destination IP addresses or ranges, and masks.

noip-policy <gtp_profile>             List the non-IP policies including the message count, which mode, the action to take, and the start and end protocols to be used by decimal num- ber.

Select list or flush.

path {list | flush}

List the GTP related paths in FortiOS Carrier memory.

Flush the GTP related paths from memory.

policy list <gtp_policy>                The GTP advanced filter policy information for this GTP profile. The inform- ation displayed for each entry includes a count for messages matching this filter, a hexidecimal mask of which message types to match, the asso- ciated flags, action to take on a match, APN selection mode, MSISDN,

RAT types, RAI, ULI, and IMEI.

profile list

Displays information about the configured GTP profiles.

You will not be able to see the bulk of the information if you do not log the output to a file.

runtime-stat flush                        Select to flush the GTP runtime statistics from memory.


Display the GTP runtime statistics — details on current GTP activity. This information includes how many tunnels are active, how many GTP profiles exist, how many IMSI filter entries, how many APN filter entries, advanced policy filter entries, IE remove policy filter entries, IP policy filter entries, clashes, and dropped packets.

tunnel {list | flush}                        Select one of list or flush.

List lists all the GTP tunnels currently active.

Flush clears the list of active GTP tunnels. This does not clear the clash counter displayed in the stat command.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in FortiOS 5.4 Handbook on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.