FortiOS Carrier supports a number of filtering methods based on subscriber identity such as APN filtering, IMSI filtering, and advanced filtering.
This section includes:
The International Mobile Subscriber Identity (IMSI) number is central to identifying users on a carrier network. It is a unique number that is assigned to a cell phone or mobile device to identify it on the GMS or UTMS network.
Typical the IMSI number is stored on the SIM card of the mobile device and is sent to the network as required.
An IMSI number is 15 digits long, and includes the Mobile Country Code (MCC), Mobile Network Code (MNC), and Mobile Station Identification Number (MSIN).
The Home Network Identity (HNI) is made up of the MCC and MNC. The HNI is used to fully identify a user’s home network. This is important because some large countries have more than one country code for a single carrier. For example a customer with a mobile carrier on the East Coast of the United States would have a different MCC than a customer on the West Coast with the same carrier because even through the MNC would be the same the MCC would be different — the United States uses MCCs 310 to 316 due to its size.
If an IMSI number is not from the local carrier’s network, IMSI analysis is performed to resolve the number into a Global Title which is used to access the user’s information remotely on their home carrier’s network for things like billing and international roaming.
IMSI focuses on the user, their location, and carrier network. There are other numbers used to identify different user related Information Elements (IE).
These identity and location based elements include:
- Access Point Number (APN)
- Mobile Subscriber Integrated Services Digital Network (MSISDN)
- Radio Access Technology (RAT) type
- User Location Information (ULI)
- Routing Area Identifier (RAI)
- International Mobile Equipment Identity (IMEI)
The Access Point Number (APN) is used in GPRS networks to identify an IP packet data network that a user wants to communicate with. The Network Identifier describes the network and optionally the service on that network that the GGSN is connected to. The APN also includes the MCC and MCN, which together locate the network the GGSN belongs to. An example of an APN in the Barbados using Digicel as the carrier that is connecting to the Internet is
When you are configuring your Carrier-enabled FortiGate unit’s GTP profiles, you must first configure the APN. It is critical to GTP communications and without it no traffic will flow.
The access point can then be used in a DNS query to a private DNS network. This process (called APN resolution) gives the IP address of the GGSN which serves the access point. At this point a PDP context can be activated.
This is a 15-digit number that, along with the IMSI, uniquely identifies a mobile user. Normally this number includes a 2-digit country code, a 3-digit national destination code, and a 10-digit subscriber number or the phone number of the mobile device, and because of that may change over time if the user changes their phone number. The MSISDN number follows the ITU-T E.164 numbering plan.
The RAT type represents the radio technology used by the mobile device. This can be useful in determining what services or content can be sent to a specific mobile device. FortiOS Carrier supports:
- UMTS Terrestrial Radio Access Network (UTRAN), commonly referred to as 3G, routes many types of traffic including IP traffic. This is one of the faster types.
- GSM EDGE Radio Access Network (GERAN) is a key part of the GSM network which routes both phone calls and data.
- Wireless LAN (WLAN) is used but not as widely as the other types. It is possible for the mobile device to move from one WLAN to another such as from an internal WLAN to a commercial hot spot.
- Generic Access Network (GAN) can also be called unlicensed mobile access (UMA). It routes voice, data, and SIP over IP networks. GAN is commonly used for mobile devices that have a dual-mode and can hand-off between GSM and WLANs.
- High Speed Packet Access (HSPA) includes two other protocols High Speed Downlink and Uplink Packet Access protocols (HSDPA and HSUPA respectively). It improves on the older WCDMA protocols by better using the radio bandwidth between the mobile device and the radio tower. This results in an increased data transfer rate for the user.
RAT type is part of advanced filtering configuration. See Configuring advanced filtering in FortiOS Carrier.
Gives Cell Global Identity/Service Area Identity (CGI/SAI) of where the mobile station is currently located. The ULI and the RAI are commonly used together to identify the location of the mobile device.
ULI is part of advanced filtering configuration. See Configuring advanced filtering in FortiOS Carrier.
Routing Areas (RAs) divide the carrier network and each has its own identifier (RAI). When a mobile device moves from one routing area to another, the connection is handled by a different part of the network. There are normally multiple cells in a routing area. There is only one SSGN per routing area. The RAI and ULI are commonly used to determine a user’s location.
RAI is part of advanced filtering configuration. See Configuring advanced filtering in FortiOS Carrier.
IMEI is a unique 15-digit number used to identify mobile devices on mobile networks. It is very much like the MAC address of a TCP/IP network card for a computer. It can be used to prevent network access by a stolen phone — the carrier knows the mobile phone’s IMEI, and when it is reported stolen that IMEI is blocked from accessing the carrier network no matter if it has the same SIM card as before or not. It is important to note that the IMEI stays with the mobile phone or device where the other information is either location based or stored on the removable SIM card.
IMEI type is part of advanced filtering configuration. See Configuring advanced filtering in FortiOS Carrier.
At first glance APN, IMSI, and advanced filtering have parts in common. For example two can filter on APN, and another two can filter on IMSI. The difficulty is knowing when to use which type of filtering.
|Filtering type||Filter on the following data:||When to use this type of filtering|
|APN||APN||Filter based on GTP tunnel start or destination|
|IMSI||IMSI, MCC-MNC||Filter based on subscriber information|
|Advanced||PDP context, APN, IMSI, MSISDN, RAT type, ULI, RAI, IMEI||When you want to filter based on:
• user phone number (MSISDN)
• what wireless technology the user employed • to get on the network (RAT type)
• user location (ULI and RAI)
• handset ID, such as for stolen phones (IMEI)
APN filtering is very specific — the only identifying information that is used to filter is the APN itself. This will always be present in GTP tunnel traffic, so all GTP traffic can be filtered using this value.
IMSI filtering can use a combination of the APN and MCC-MNC numbers. The MCC and MNC are part of the APN, however filtering on MCC-MNC separately allows you to filter based on country and carrier instead of just the destination of the GTP Tunnel.
Advanced filtering can go into much deeper detail covering PDP contexts, MSISDN, IMEI, and more not to mention APN, and IMSI as well. If you can’t find the information in APN or IMSI that you need to filter on, then use Advanced filtering.
To configure APN filtering go to Security Profiles > GTP Profile. Select a profile or create a new one, and expand APN filtering.
|When you are configuring your Carrier-enabled FortiGate unit’s GTP profiles, you must first configure the APN. It is critical to GTP communications and without it no traffic will flow.|
|Enable APN Filter||Select to enable filtering based on APN value.|
|Default APN Action||Select either Allow or Deny for all APNs that are not found in the list. The default is Allow.|
|Value||Displays the APN value for this entry. Partial matches are allowed using wildcard. For example
|Mode||Select one or more of the methods used to obtain APN values.
Mobile Station provided - The APN comes from the mobile station where the mobile device connected. This is the point of entry into the carrier network for the user’s connection.
Network provided - The APN comes from the carrier network.
Subscription Verified - The user’s subscription has been verified for this APN. This is the most secure option.
|Action||One of allow or deny to allow or block traffic associated with this APN.|
|Delete icon||Select to remove this APN entry from the list.|
|Edit icon||Select to change the information for this APN entry.|
|Add APN||Select to add an APN to the list. Not active while creating GTP profile, only when editing an existing GTP profile.
Save all changes before adding APNs. A warning to this effect will be displayed when you select the Add APN button.
The Add APN button is not activated until you save the new GTP profile. When you edit that GTP profile, you will be able to add new APNs.
In many ways the IMSI on a GPRS network is similar to an IP address on a TCP/IP network. Different parts of the number provide different pieces of information. This concept is used in IMSI filtering on FortiOS Carrier.
To configure IMSI filtering go to Security Profiles > GTP Profile and expand IMSI filtering.
While both the APN and MCC-MCN fields are optional, without using one of these fields the IMSI entry will not be useful as there is no information for the filter to match.
|Enable IMSI Filter||Select to turn on IMSI filtering.|
|Default IMSI Action||Select Allow or Deny. This action will be applied to all IMSI numbers except as indicated in the IMSI list that is displayed.
The default value is Allow.
|APN||The Access Point Number (APN) to filter on.
This field is optional.
|MCC-MNC||The Mobile Country Code (MCC) and Mobile Network Code (MNC) to filter on. Together these numbers uniquely identify the carrier and network of the GGSN being used.
This field is optional.
|Mode||Select the source of the IMSI information as one or more of the following:
Mobile Station provided - the IMSI number comes from the mobile station the mobile device is connecting to.
Network provided - the IMSI number comes from the GPRS network which could be a number of sources such as the SGSN, or HLR.
Subscription Verified - the IMSI number comes from the user’s home network which has verified the information.
While Subscription Verified is the most secure option, it may not always be available. Selecting all three options will ensure the most complete coverage.
|Action||Select the action to take when this IMSI information is encountered. Select one of Allow or Deny.|
|Delete Icon||Select the delete icon to remove this IMSI entry.|
|Edit Icon||Select the edit icon to change information for this IMSI entry.|
|Add IMSI||Select to add an IMSI to the list. Not active while creating GTP profile, only when editing an existing GTP profile.
Save all changes before adding IMSIs. A warning to this effect will be displayed when you select the Add IMSI button.
Compared to ADN or IMSI filtering, advanced filtering is well named. Advanced filtering can be viewed as a catch-all filtering option — if ADN or IMSI filtering doesn’t do what you want, then advanced filtering will. The advanced filtering can use more information elements to provide considerably more granularity for your filtering.
|Enable||Select to turn on advanced filtering.|
|Default Action||Select Allow or Deny as the default action to take when traffic does not match an entry in the advanced filter list .|
|Messages||Optionally select one or more types of messages this filter applies to:
Create PDP Context Request, Create PDP Context Response, Update PDP Context Request, or Update PDP Context Response.
Selecting Create PDP Context Response or Update PDP Context Response limits RAT type to only GAN and HSPA, and disables the APN, APN Mode, IMSI, MSISDN, ULI, RAI, and IMEI fields.
To select Update PDP Context Request, APN Restriction must be set to all. Selecting Update PDP Context Request disables the APN, MSISDN, and IMEI fields.
if all message types are selected, only the RAT Types of GAN and HSPA are available to select.
|APN Restriction||APN Restriction either allows all APNs or restricts the APNs to one of four categories — Public-1, Public-2, Private-1, or Private-2. This can also be combined with a specific APN or partial APN as well as specifying the APN mode.|
|RAT Type||Select one or more of the Radio Access Technology Types listed. These fields control how a user accesses the carrier’s network. You can select one or more of UTRAN, GERAN, WLAN, GAN, HSPA, or any.|
|ULI||The user location identifier. Often the ULI is used with the RAI to locate a user geographically on the carrier’s network.
The ULI is disabled when Create PDP Context Response or Update PDP Context Response messages are selected.
|RAI||The router area identifier. There is only one SGSN per routing area on a carrier network. This is often used with ULI to locate a user geographically on a carrier network.
The RAI is disabled when Create PDP Context Response or Update PDP Context Response messages are selected.
|IMEI||The International Mobile Equipment Identity. The IMEI uniquely identifies mobile hardware, and can be used to block stolen equipment.
The IMEI is only available when Create PDP Context Request or no messages are selected.
|Action||Select Allow or Deny as the action when this filter matches traffic.
The default is Allow.
|Delete Icon||Select to delete this entry from the list.|
|Edit Icon||Select to edit this entry.|
|Add||Select to add an advanced filter to the list. Not active while creating GTP profile, only when editing an existing GTP profile.
Save all changes before adding advanced filters. A warning to this effect will be displayed when you select the Add button.