Configuring GTP on FortiOS Carrier

Configuring message type filtering in FortiOS Carrier

GPRS Tunnelling Protocol (GTP) is a group of IP-based communications protocols used to carry General Packet Radio Service (GPRS) traffic within Global System for Mobile Communications (GSM) and Universal Mobile Telecommunications System (UMTS) networks. It allows carriers to transport actual cellular packets over their network via tunneling.

In the CLI, there is a keyword for each type of GTP message for both message filtering, and for message rate limiting.

GTP message rate limiting is only accessible from the CLI using the command con- figure firewall gtp.

 

To configure GTP message type filtering – web-based manager

1. Go to Security Profiles > GTP Profile.

2. Select Create New.

3. Enter a name for this profile such as msg_type_filtering.

4. Select Message Type Filtering to expand it.

5. For each type of message in the list, select Allow or Deny. All messages are set to Allow by default.

 

Fortinet best practices dictate that the unknown message action should be set to Deny for security reasons as this will block malformed messages.

6. Optionally select and configure any other GTP features for this profile, such as logging.

7. Select OK to save the profile.

8. Apply the msg_type_filtering profile a security policy configured for GTP tunnel traffic.

 

To configure GTP message filtering and block Unknown Message Action messages- CLI

config firewall gtp

edit msg_type_filtering config message-filter

set unknown-message-action deny next

end

end

 

Message Type Fields

Each of the following message types can be allowed or denied by your Carrier-enabled FortiGate unit depending on your carrier network and GTP traffic.

 

Unknown Message Action

Set this message type to deny.

Many attempts to hack into a carrier network will result in this unknown message type and therefore it is denied for security reasons.

 

Path Management Messages

Message Type                          Used by  Description

Echo Request/Response             GTP-C, GTP-U, GTP’

Echo Request is sent on a path to another GSN to determine if the other node is alive. Echo Response is the reply.

Version not Supported

GTP-C, GTP-U, GTP’

There are multiple versions of GTP. Both devices com- municating must use the same version of GTP, or this message will be the response.

Support Extension Headers

Notification

Extensions are optional parts that a device can choose to sup- port or not. If a device includes these extensions, it must include headers for the extensions to sure ensure proper formatting.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.