FortiOS Carrier (5.6.1)
New FortiOS Carrier features added to FortiOS 5.6.1.
GTP enhancement and GTP Performance Improvement. (423332)
The GTP changes in 5.6.1 take place in the following categories:
New GTP features and functionality enhancements.
- GTP message filter enhancements, including: l Unknown message white list l GTPv1 and GTPv2 profile separation l Message adoption.
- GTP IE white list.
- Global APN rate limit, including: l sending back REJECT message with back-off timer l “APN congestion” cause value
- GTP half-open, half-close configurable timer.
GTP performance improvements.
- Implemented RCU on GTP-U running path. i.e, no locking needed to look up tunnel state when processing GTP-U.
Note the RCU is only applied on GTPv1 and GTPv2 tunnels. It is not used for GTPv0 tunnels, due to the fact that (1) GTPv0 traffic is relatively minor compared with GTPv1 and GTPv2, and (2) GTPv0 tunnel indexing is totally different from GTPv1 and GTPv2. GTPv0 tunnel is indexed by [IMSI, NSAPI]. GTPv1 and GTPv2 tunnel is indexed by [IP, TEID]
- Localized CPU memory usage on GTP-U running path.
- GTP-C: changed some GTP tables from RB tree to hash table, including l GTP request tables, and GTPv0 tunnel tables. l Testing showed, when handling millions of entries adding/deleting, hash table performance was much better.
- 3.2 Hash table is compatible with RCU API, so we can apply RCU on these GTP-C tables later for further performance improvements.
- GTP-C, improved GTP path management logic, so that GTP path will time out sooner when there are no tunnels linked to it
New Diagnose commands: diagnose firewall gtp
|hash-stat-tunnel||GTP tunnel hash statistics.|
|hash-stat-v0tunnel||GTPv0 tunnel hash statistics.|
FortiOS Carrier (5.6.1)
|hash-stat-path||GTP path hash statistics.|
|hash-stat-req||GTP request hash statistics.|
|vd-apn-shaper||APN shaper on VDOM level.|
|ie-white-list-v0v1||IE white list for GTPv0 or v1.|
|ie-white-list-v2||IE white list for GTPv2.|
diagnose firewall gtp vd-apn-shaper
diagnose firewall gtp ie-white-list-v0v1
diagnose firewall gtp ie-white-list-v2
config gtp apn-shaperapn-shaper
|apn||APN to match. Leave empty to match ANY.
“apn” field can be empty, it matches ANY apn. when configured, it is used to set a limit for any apn which is not explicitly listed; Also, if configured, such an entry should be the last entry, as it is first-match rule.
|rate-limit||Rate limit in packets/s (0 – 1000000, 0 means unlimited).|
|action||Action. [drop | reject]
There is no back-off timer in GTPv0, therefor the reject action is not available for V0
|back-off-time||Back off time in seconds (10 – 360).
back-off-time visible when action is
Under command firewall gtp, config message-filter is replaced by set message-filterv0v1
config firewall gtp edit <name> set message-filter-v0v1
New fields have been added to the config firewall gtp command context
|half-open-timeout||Half-open tunnel timeout (in seconds).|
|half-close-timeout||Half-close tunnel timeout (in seconds).|
config firewall gtp edit <name> set half-open-timeout 10 set half-close-timeout 10 Models affected by change
l FortiGate 3700D l FortiGate 3700DX l FortiGate 3800D Device identification (5.6)
Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!