Configuring message type filtering in FortiOS Carrier
GPRS Tunnelling Protocol (GTP) is a group of IP-based communications protocols used to carry General Packet Radio Service (GPRS) traffic within Global System for Mobile Communications (GSM) and Universal Mobile Telecommunications System (UMTS) networks. It allows carriers to transport actual cellular packets over their network via tunneling.
In the CLI, there is a keyword for each type of GTP message for both message filtering, and for message rate limiting.
GTP message rate limiting is only accessible from the CLI using the command con- figure firewall gtp.
To configure GTP message type filtering – web-based manager
1. Go to Security Profiles > GTP Profile.
2. Select Create New.
3. Enter a name for this profile such as msg_type_filtering.
4. Select Message Type Filtering to expand it.
5. For each type of message in the list, select Allow or Deny. All messages are set to Allow by default.
Fortinet best practices dictate that the unknown message action should be set to Deny for security reasons as this will block malformed messages.
6. Optionally select and configure any other GTP features for this profile, such as logging.
7. Select OK to save the profile.
8. Apply the msg_type_filtering profile a security policy configured for GTP tunnel traffic.
To configure GTP message filtering and block Unknown Message Action messages- CLI
config firewall gtp
edit msg_type_filtering config message-filter
set unknown-message-action deny next
Message Type Fields
Each of the following message types can be allowed or denied by your Carrier-enabled FortiGate unit depending on your carrier network and GTP traffic.
Unknown Message Action
Set this message type to deny.
Many attempts to hack into a carrier network will result in this unknown message type and therefore it is denied for security reasons.
Path Management Messages
Message Type Used by Description
Echo Request/Response GTP-C, GTP-U, GTP’
Echo Request is sent on a path to another GSN to determine if the other node is alive. Echo Response is the reply.
Version not Supported
GTP-C, GTP-U, GTP’
There are multiple versions of GTP. Both devices com- municating must use the same version of GTP, or this message will be the response.
Support Extension Headers
Extensions are optional parts that a device can choose to sup- port or not. If a device includes these extensions, it must include headers for the extensions to sure ensure proper formatting.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!