FortiOS 5.6 Online Help Link FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link

Home > Online Help

> Chapter 7 - FortiOS Carrier > Carrier web-based manager settings

Carrier web-based manager settings

The Carrier menu provides settings for configuring FortiOS Carrier features within the Security Profiles menu. These features include MMS and GTP profiles.

In Security Profiles > Carrier, you can configure profiles and settings for MMS and GTP. In the Carrier menu, you can configure an MMS profile and then apply it to a security policy. You can also configure GTP profiles and apply those to security policies as well.

This topic includes the following:

MMS profiles

Since MMS profiles can be used by more than one security policy, you can configure one profile for the traffic types handled by a set of security policies requiring identical protection levels and types, rather than repeatedly configuring those same profile settings for each individual security policy.

note icon If the security policy requires authentication, do not select the MMS profile in the security policy. This type of profile is specific to the authenticating user group. For details on configuring the profile associated with the user group, see User Groups in the Authentication guide.

For example, while traffic between trusted and untrusted networks might need strict protection, traffic between trusted internal addresses might need moderate protection. To provide the different levels of protection, you might configure two separate protection profiles: one for traffic between trusted networks, and one for traffic between trusted and untrusted networks.

Once you have configured the MMS profile, you can then apply the profile to MMS traffic by applying it to a security policy.

MMS profiles can contain settings relevant to many different services. Each security policy uses the subset of the MMS profile settings that apply to the sessions accepted by the security policy. In this way, you might define just one MMS profile that can be used by many security policies, each policy using a different or overlapping subset of the MMS profile.

The MMS Profile page contains options for each of the following:

  • MMS scanning
  • MMS Bulk Email Filtering Detection
  • MMS Address Translation
  • MMS Notifications
  • DLP Archive
  • Logging

MMS profile configuration settings

The following are MMS profile configuration settings in Security Profiles > MMS Profile.

MMS Profile page

Lists each individual MMS profile that you created. On this page, you can edit, delete or create an MMS profile.
Create New Creates a new MMS profile. When you select Create New, you are automatically redirected to the New MMS Profile page.
Edit Modifies settings within an MMS profile. When you select Edit, you are automatically redirected to the Edit MMS Profile.
Delete Removes an MMS profile from the list on the MMS Profile page.

To remove multiple MMS profiles from within the list, on the MMS Profile page, in each of the rows of the profiles you want removed, select the check box and then select Delete.

To remove all MMS profiles from the list, on the MMS Profile page, select the check box in the check box column, and then select Delete.
Name The name of the MMS profile.
Ref. Displays the number of times the object is referenced to other objects. For example, av_1 profile is applied to a security policy; on the Profile page (Security Profiles > Antivirus), 1 appears in Ref. .

To view the location of the referenced object, select the number in Ref., and the Object Usage window appears displaying the various locations of the referenced object.

To view more information about how the object is being used, use one of the following icons that is avialable within the Object Usage window:

View the list page for these objects – automatically redirects you to the list page where the object is referenced at.

Edit this object – modifies settings within that particular setting that the object is referenced with. For example, av_1 profile is referenced with a security policy and so, when this icon is selected, the user is redirected to the Edit Policy page.

View the details for this object – table, similar to the log viewer table, contains information about what settings are configured within that particular setting that the object is referenced with. For example, av_1 profile is referenced with a security policy, and that security policy’s settings appear within the table.
New MMS Profile page

Provides settings for configuring an MMS profile. This page also provides settings for configuring DLP archives and logging.
Profile Name Enter a name for the profile.
Comments Enter a description about the profile. This is optional.
MMS Scanning Configure MMS Scanning options.
MMS Bulk Email Filtering Detection Configure MMS Bulk Email options.
MMS Address Translation Configure MMS Address Translation options.
MMS Notifications Configure MMS Notification options.
DLP Archive Configure DLP archive option.
Logging Configure logging options.

MMS scanning options

You can configure MMS scanning protection profile options to apply virus scanning, file filtering, content filtering, carrier endpoint blocking, and other scanning to MMS messages transmitted using the MM1, MM3, MM4 and MM7 protocols.

The following are the MMS Scanning options that are available within an MMS profile. You can create an MMS profile in Security Profiles > MMS Profile or edit an existing one. You must expand MMS Scanning to access the following options.

MMS Scanning section of the New MMS Profile page
Monitor Only Select to cause the unit to record log messages when MMS scanning options find a virus, match a file name, or match content using any of the other MMS scanning options. Select this option to be able to report on viruses and other problems in MMS traffic without affecting users.

Tip: Select Remove Blocked if you want the unit to actually remove content intercepted by MMS scanning options.
Virus Scan Select to scan attachments in MMS traffic for viruses.

Since MM1 and MM7 use HTTP, the oversize limits for HTTP and the HTTP antivirus port configuration also applies to MM1 and MM7 scanning.

MM3 and MM4 use SMTP and the oversize limits for SMTP and the SMTP antivirus port configuration also applies to MM3 and MM4 scanning.
Scan MM1 message retrieval Select to scan message retrievals that use MM1. If you enable Virus Scan for all MMS interfaces, messages are also scanned while being sent. In this case, you can disable MM1 message retrieval scanning to improve performance.
Quarantine Select to quarantine the selected MMS traffic
Remove Blocked Select to remove blocked content from each protocol and replace it with the replacement message.

Select Constant if the unit is to preserve the length of the message when removing blocked content, as may occur when billing is affected by the length of the message.

Tip: If you only want to monitor blocked content, select Monitor Only.
Content Filter Select to filter messages based on matching the content of the message with the words or patterns in the selected web content filter list.

For information about adding a web content filter list, see the FortiGate CLI Reference.
Carrier Endpoint Block Select to add Carrier Endpoint Filtering in this MMS profile. Select the carrier endpoint filter list to apply it to the profile.
MMS Content Checksum Select to add MMS Content Checksum in this MMS profile. Select the MMS content checksum list to apply it to the profile.
Pass Fragmented Messages Select to pass fragmented MM3 and MM4 messages. Fragmented MMS messages cannot be scanned for viruses. If you do not select these options, fragmented MM3 and MM4 message are blocked.
Comfort Clients Select client comforting for MM1 and MM7 sessions.

Since MM1 and MM7 messages use HTTP, MM1 and MM7 client comforting operates like HTTP client comforting.
Comfort Servers Select server comforting for each protocol.

Similar to client comforting, you can use server comforting to prevent server connection timeouts that can occur while waiting for the unit to buffer and scan large POST requests from slow clients.
  Interval (1-900 seconds) Enter the time in seconds before client and server comforting starts after the download has begun, and the time between sending subsequent data.
  Amount (1-10240 bytes) The number of bytes sent by client or server comforting at each interval.
Oversized MMS Message Select Block or Pass for files and email messages exceeding configured thresholds for each protocol.

The oversize threshold refers to the final size of the message, including attachments, after encoding by the client. Clients can use a variety of encoding types; some result in larger file sizes than the original attachment. As a result, a file may be blocked or logged as oversized even if the attachment is several megabytes smaller than the oversize threshold.
  Threshold (1KB - 800 MB) Enter the oversized file threshold and select KB or MB. If a file is larger than the threshold the file is passed or blocked depending on the Oversized MMS Message setting. The web-based manager displays the allowed threshold range. The threshold maximum is 10% of the unit’s RAM.

MMS bulk email filtering options

You can use the MMS bulk email filtering options to detect and filter MM1 and MM4 message floods and duplicate messages. You can configure three thresholds that define a flood of message activity and three thresholds that define excessive duplicate messages. The configuration of each threshold includes the response actions for the threshold.

The configurable thresholds for each of the flood and duplicate sensors and must be enabled in sequence. For example, you can enable Flood Threshold 1 and Flood Threshold 2, but you cannot disable Flood Threshold 1 and enable Flood Threshold 2.

You can also add MSISDN to the bulk email filtering configuration and select a subset of the bulk email filtering options to applied to these individual MSISDNs.

You must first select MM1 and/or MM4 to detect excessive message duplicates. If excessive message duplicates are detected, the unit will perform the Duplicate Message Action for the specified duration.

You can configure three duplicate message thresholds and enable them with separate values and actions. They are labeled Duplicate Threshold 1 through 3 and must be enabled in sequence. For example, you can enable Duplicate Threshold 1 and Duplicate Threshold 2, but you cannot disable Duplicate Threshold 1 and enable Duplicate Threshold 2.

When traffic accepted by a security policy that contains an MMS profile with duplicate message configured receives MM1 or MM4 duplicate messages that match a threshold configured in the MMS protection profile, the unit performs the duplicate message action configured for the matching threshold.

You can configure three message flood thresholds and enable them with separate values and actions. They are labeled Flood Threshold 1 through 3 and must be enabled in sequence. For example, you can enable Flood Threshold 1 and Flood Threshold 2, but you cannot disable Flood Threshold 1 and enable Flood Threshold 2.

When traffic accepted by a security policy that contains an MMS protection profile with message flooding configured experiences MM1 or MM4 message flooding that matches a threshold configured in the MMS profile, the unit performs the message flood action configured for the matching threshold.

MMS Bulk Email Filtering Detection

This section of the New MMS Profile page contains numerous sections where you can configure specific settings for flood threshold, duplicate threshold and recipient MSISDNs.
Message Flood

The message flood settings for each flood threshold. Expand each to configure settings for a threshold.
Flood Threshold 1 Expand to reveal the flood threshold settings for Flood Threshold 1. The settings for Flood Threshold 1 are the same for Flood Threshold 2 and 3.
  Enable Select to apply Flood Threshold 1 to the MSISDN exception.
  Message Flood Window Enter the period of time during which a message flood will be detected if the Message Flood Limit is exceeded. The message flood window can be 1 to 2880 minutes (48 hours).
  Message Flood Limit Enter the number of messages which signifies a message flood if exceeded within the Message Flood Window.
  Message Flood Block Time Enter the amount of time during which the unit performs the Message Flood Action after a message flood is detected.
  Message Flood Action Select one or more actions that the unit is to perform when a message flood is detected.
Flood Threshold 2

Flood Threshold 3
Expand to configure settings for Flood Threshold 2 or 3 respectively.
Duplicate Message

The duplicate message threshold settings. Expand each to configure settings for a threshold.
MM1 Retrieve Duplicate Enable Select to scan MM1 mm1-retr messages for duplicates. By default, mm1-retr messages are not scanned for duplicates as they may often be the same without necessarily being bulk or spam.
  Enable Select to enable the selected duplicate message threshold and to make the rest of the options available for configuration.
  Duplicate Message Window Enter the period of time during which excessive message duplicates will be detected if the Duplicate message Limit it exceeded. The duplicate message window can be 1 to 2880 minutes (48 hours).
  Duplicate Message Limit Enter the number of messages which signifies excessive message duplicates if exceeded within the Duplicate Message Window.
  Duplicate Message Block Time Enter the amount of time during which the unit will perform the Duplicate Message Action after a message flood is detected.
  Duplicate Message Action Select one or more actions that the unit is to perform when excessive message duplication is detected.
Duplicate Threshold 2

Duplicate Threshold 3
Expand to configure settings for Duplicate Threshold 2 or 3 respectively.
Recipient MSISDN

The recipient Mobile Subscriber Integrated Services Digital Network Number (MSISDN) settings for each recipient MSISDN. When you select Create New, you are automatically redirected to the New MSISDN page.

You need to save the profile before you can add MSISDNs.
Recipient MSISDN The recipient MSISDN.
Flood Threshold 1 Check to enable Flood Threshold 1 settings for this MSISDN.
Flood Threshold 2 ICheck to enable Flood Threshold 2 settings for this MSISDN..
Flood Threshold 3 ICheck to enable Flood Threshold 3 settings for this MSISDN..
Duplicate Threshold 1 Check to enable Duplicate Threshold 1 settings for this MSISDN..
Duplicate Threshold 2 Check to enable Duplicate Threshold 2 settings for this MSISDN..
Duplicate Threshold 3 Check to enable Duplicate Threshold 3 settings for this MSISDN..
Edit Modifies the settings of a Recipient MSISDN in the Recipient MSISDN list. When you select Edit, you are automatically redirected to the New MSISDN page.
Delete Removes a Recipient MSISDN in the Recipient MSISDN list within the Recipient MSISDN section of the page.
New MSISDN page
Create New Creates a new Recipient MSISDN. When you select Create New, you are automatically redirected to the New MSISDN page.
Recipient MSISDN Enter a name for the recipient MSISDN.
Flood Threshold 1 Select to apply Flood Threshold 1 to the MSISDN exception.
Flood Threshold 2 Select to apply Flood Threshold 2 to the MSISDN exception.
Flood Threshold 3 Select to apply Flood Threshold 3 to the MSISDN exception.
Duplicate Threshold 1 Select to apply Duplicate Threshold 1 to the MSISDN exception.
Duplicate Threshold 2 Select to apply Duplicate Threshold 2 to the MSISDN exception.
Duplicate Threshold 3 Select to apply Duplicate Threshold 3 to the MSISDN exception.

MMS Address Translation options

The sender’s carrier endpoint is used to provide logging and reporting details to the mobile operator and to identify the sender of infected content.

When MMS messages are transmitted, the From field may or may not contain the sender's address. When the address is not included, the sender information will not be present in the logs and the unit will not be able to notify the user if the message is blocked unless the sender's address is made available elsewhere in the request.

The unit can extract the sender's address from an extended HTTP header field in the HTTP request. This field must be added to the HTTP request before it is received by the unit. If this field is present, it will be used instead of the sender's address in the MMS message for logging and notification. If this header field is present when a message is retrieved, it will be used instead of the To address in the message. If this header field is not present the content of the To header field is used instead.

Alternatively, the unit can extract the sender’s address from a cookie.

You can configure MMS address translation to extract the sender’s carrier endpoint so that it can be added to log and notification messages. You can configure MMS address translation settings to extract carrier endpoints from HTTP header fields or from cookies. You can also configure MMS address translation to add an endpoint prefix to the extracted carrier endpoints. For more information, see Dynamic Profiles and Endpoints in the Authentication guide.

MMS Address Translation
Sender Address Source Select to extract the sender’s address from the HTTP Header Field or a Cookie. You must also specify the identifier that contains the carrier endpoint.
Sender Address Identifier Enter the sender address identifier that includes the carrier endpoint. The default identifier is x-up-calling-line-id.

If the Sender Address Source is HTTP Header Field, the address and its identifier in the HTTP request header takes the format:

<Sender Address Identifier>: <MSISDN_value>

Where the <MSISDN_value> is the carrier endpoint. For example, the HTTP header might contain:

x-up-calling-line-id: 6044301297

where x-up-calling-line-id would be the Sender Address Identifier.

If the Sender Address Source is Cookie, the address and its identifier in the HTTP request header’s Cookie field takes the format of attribute-value pairs:

Cookie: id=<cookie-id>;

<Sender Address Identifier>=<MSISDN Value>

For example, the HTTP request headers might contain:

Cookie: id=0123jf!a;x-up-calling-line-id=6044301297

where x-up-calling-line-id would be the Sender Address Identifier.
Convert Sender Address From / To HEX Select to convert the sender address from ASCII to hexadecimal or from hexadecimal to ASCII. This is required by some applications.
Add Carrier Endpoint Prefix for Logging / Notification Select the following to enable adding endpoint prefixes for logging and notification.
  Enable Select to enable adding the country code to the extracted carrier endpoint, such as the MSISDN, for logging and notification purposes. You can limit the number length for the test numbers used for internal monitoring without a country code.
  Prefix Enter a carrier endpoint prefix to be added to all carrier endpoints. Use the prefix to add extra information to the carrier endpoint in the log entry.
  Minimum Length Enter the minimum length of the country code information being added. If this and Maximum Length are set to zero (0), length is not limited.
  Maximum Length Enter the maximum length of the country code information being added. If this and Minimum Length are set to zero (0), length is not limited.

MMS Notifications

MMS notifications are messages that a unit sends when an MMS profile matches content in an MM1, MM3, MM4 or MM7 session. For example, the MMS profile detects a virus or uses content blocking to block a web page, text message or email. You can send notifications to the sender of the message using same protocol and the addressing headers in the original message. You can also configure MMS notifications to send notification messages to another destination (such as a system administrator) using the MM1, MM3, MM4 or MM7 protocol.

You need to enable one or more Notification Types or you can add an Antivirus Notification List to enable sending notifications,.

You can also use MMS notifications options to configure how often notifications are sent. The unit sends notification messages immediately for the first event, then at a configurable interval if events continue to occur. If the interval does not coincide with the window of time during which notices may be sent, the unit waits to send the notice in the next available window. Subsequent notices contain a count of the number of events that have occurred since the previous notification.

There are separate notifications for each notification type, including virus events. Virus event notifications include the virus name. Up to three viruses are tracked for each user at a time. If a fourth virus is found, one of the existing tracked viruses is removed from the list.

The notifications are MM1 m-send-req messages sent from the unit directly to the MMSC for delivery to the client. The host name of the MMSC, the URL to which m-send-req messages are sent, and the port must be specified.

MMS Notification
Antivirus Notification List Optionally select an antivirus notification list to select a list of virus names to send notifications for. The unit sends a notification message whenever a virus name or prefix in the antivirus notification list matches the name of a virus detected in a session scanned by the MMS protection profile. Select Disabled if you do not want to use a notification list.

Instead of selecting a notification list you can configure the Virus Scan Notification Type to send notifications for all viruses.
Message Protocol In each column, select the protocol used to send notification messages. You can use a different protocol to send the notification message than the protocol on which the violation was sent. The MMS Notifications options change depending on the message protocol that you select.

If you select a different message protocol, you must also enter the User Domain. If selecting MM7 you must also enter the Message Type.
Message Type Select the MM7 message type to use if sending notifications using MM7. Options include deliver.REQ and submit.REQ
Detect Server Details Select to use the information in the headers of the original message to set the address of the notification message. If you do not select this option, you can enter the required addressing information manually.

You cannot select Detect Server Details if you are sending notification messages using a different message protocol.

If you select Detect Server Details, you cannot change the Port where the notification is being sent.
Hostname Enter the FQDN or the IP address of the server where the notifications will be sent.
URL Enter the URL of the server. For example if the notificaiton is going to www.example.com/home/alerts , the URL is /home/alerts.

This option is available only when Message Protocol is mm1 or mm7.
Port Enter the port number of the server.

You cannot change the Port if Detect Server Details is enabled.
Username Enter the user name required for sending messages using this server (optional).

This option is available only when Message Protocol is mm7.
Password Enter the password required for sending messages using this server (optional).

This option is available only when Message Protocol is mm7.
VASP ID Enter the value-added-service-provider (VASP) ID to be used when sending a notification message. If a VAS is not offered by the mobile provider, it is offered by a third party or a VAS provider or content provider (CP).

This option is available only when Message Protocol is mm7.
VAS ID Enter the value-added-service (VAS) ID to be used when sending a notification message. A VAS is generally any service beyond voice calls and fax.

This option is available only when Message Protocol is mm7.
All Notification Types In each column, select notification for all MMS event types for that MMS protocol, then enter the amount of time and select the time unit for notice intervals.

Alternatively, expand All Notification Types, and then select notification for individual MMS event types for each MMS protocol. Then enter the amount of time and select the time unit for notice intervals.

Not all event types are available for all MMS protocols.
  Content Filter In each column, select to notify when messages are blocked by the content filter, then enter the amount of time and select the time unit for notice intervals.
  File Block In each column, select to notify when messages are blocked by file block, then enter the amount of time and select the time unit for notice intervals.
  Carrier Endpoint Block In each column, select to notify when messages are blocked, then enter the amount of time and select the time unit for notice intervals.
  Flood In each column, select to notify when message flood events occur, then enter the amount of time and select the time unit for notice intervals.
  Duplicate In each column, select to notify when duplicate message events occur, then enter the amount of time and select the time unit for notice intervals.
  MMS Content Checksum In each column, select to notify when the content within an MMS message is scanned and banned because of the checksum value that was matched.
  Virus Scan In each column, select to notify when the content within an MMS message is scanned for viruses.
Notifications Per Second Limit For each MMS protocol, enter the number of notifications to send per second. If you enter zero(0), the notification rate is not limited.
Day of Week For each MMS protocol, select the days of the week the unit is allowed to send notifications.
Window Start Time For each MMS protocol, select the time of day to begin the message alert window. By default, the message window starts at 00:00. You can change this if you want to start the message window later in the day. When configured, notification outside this window will not be sent.
Window Duration For each MMS protocol, select the time of day at which to end the message alert window. By default, the message window ends at 00:24. You can change this if you want to end the message window earlier in the day.

When configured, notification outside this window will not be sent

DLP Archive options

Select DLP archive options to archive MM1, MM3, MM4, and MM7 sessions. In addition to the MMS profile’s DLP archive options, you can:

  • Archive MM1 and MM7 message floods
  • Archive MM1 and MM7 duplicate messages
  • Select DLP archiving for carrier endpoint patterns in a Carrier Endpoint List and select the Carrier Endpoint Block option in the MMS Scanning section of an MMS Profile

The unit only allows one sixteenth of its memory for transferring content archive files. For example, for units with 128MB RAM, only 8MB of memory is used when transferring content archive files. Best practices dictate to not enable full content archiving if antivirus scanning is also configured because of these memory constraints.

DLP Archive
Display DLP meta-information on the system dashboard Select each required protocol to display the content archive summary in the Log and Archive Statistics dashboard widget on the System Dashboard.
Archive to FortiAnalyzer/FortiGuard Select the type of archiving that you want for the protocol (MM1, MM3, MM4, and MM7). You can choose from Full, Summary or None.

None — Do not send content archives.

Summary — Send content archive metadata only. Includes information such as date and time, source and destination, request and response size, and scan result.

Full — Send content archive both metadata and copies of files or messages.

In some cases, FortiOS Carrier may not archive content, or may make only a partial content archive, regardless of your selected option. This behavior varies by prerequisites for each protocol.

This option is available only if a FortiAnalyzer unit or FortiGuard Analysis and Management Service is configured.

Logging

You can enable logging in an MMS profile to write event log messages when the MMS profile options that you have enabled perform an action. For example, if you enable MMS antivirus protection, you could also use the MMS profile logging options to write an event log message every time a virus is detected.

You must first configure how the unit stores log messages so that you can then record these logs messages. For more information, see the FortiOS Handbook Logging and Reporting guide.

Logging
MMS-Antivirus If antivirus settings are enabled for this MMS profile, select the following options to record Antivirus Log messages.
  Viruses Record a log message when this MMS profile detects a virus.
  Blocked Files Record a log message when antivirus file filtering enabled in this MMS profile blocks a file.
  Intercepted Files Record a log message when this MMS profile intercepts a file.
  Oversized Files/Emails Record a log message when this MMS profile encounters an oversized file or email message. Oversized files and email messages cannot be scanned for viruses.
MMS Scanning If MMS scanning settings are enabled for this MMS profile, select the following options to record Email Filter Log messages.
  Notification Messages Select to log the number of MMS notification messages sent.
  Bulk Messages Select to log MMS Bulk AntiSpam events. You must also select which protocols to write log messages for in the MMS bulk email filtering part of the MMS profile.
  Carrier Endpoint Filter Block Select to log MMS carrier endpoint filter events, such as MSISDN filtering.
  MMS Content Checksum Select to log MMS content checksum activity.
  Content Block Select to log content blocking events.

MMS Content Checksum

The MMS Content Checksum menu allows you to configure content checksum lists.

Configure MMS content checksum lists in Security Profiles > MMS Content Checksum using the following table.

MMS Content Checksum

Lists each individual content checksum list that you created. On this page, you can edit, delete or create a content checksum list.
Create New Creates a new MMS content checksum list. When you select Create New, you are automatically redirected to the New List. This page provides a name field and comment field. You must enter a name to go to MMS Content Checksum Settings page.
Edit Modifies settings to a MMS content checksum. When you select Edit, you are automatically redirected to the MMS Content Checksum Settings page.
Delete Removes an MMS content checksum from the page.

To remove multiple content checksum lists from within the list, on the MMS Content Checksum page, in each of the rows of the content checksum lists you want removed, select the check box and then select Delete.

To remove all content checksum lists from list, on the MMS Content Checksum page, select the check box in the check box column and then select Delete.
Name The name of the MMS content checksum list that you created.
# Entries The number of checksums that are included in the content checksum list.
MMS Profiles The MMS profile or profiles that have the MMS content checksum list applied. For example if two different MMS profiles use this content checksum list, they will both be listed here.
Comments A description given to the MMS content checksum.
Ref. Displays the number of times the object is referenced to other objects. For example, av_1 profile is applied to a security policy; on the Profile page (Security Profiles > AntiVirus > Profiles), 1 appears in Ref. .

To view the location of the referenced object, select the number in Ref., and the Object Usage window appears displaying the various locations of the referenced object.

To view more information about how the object is being used, use one of the following icons that is avialable within the Object Usage window:

•  View the list page for these objects – automatically redirects you to the list page where the object is referenced at.

•  Edit this object – modifies settings within that particular setting that the object is referenced with. For example, av_1 profile is referenced with a security policy and so, when this icon is selected, the user is redirected to the Edit Policy page.

•  View the details for this object – table, similar to the log viewer table, contains information about what settings are configured within that particular setting that the object is referenced with. For example, av_1 profile is referenced with a security policy, and that security policy’s settings appear within the table.

Notification List

The Notification List menu allows you to configure a list of viruses. This virus list provides a list for scanning viruses in MMS messages. You can use one virus list in multiple MMS profiles, and configure multiple virus lists.

Notification list configuration settings

The following are notification list configuration settings in Security Profiles > Carrier > Notification List.

Notification List

Lists all the notification lists that you created. On this page you can edit, delete or create a new notification list.
Create New Creates a new notification list. When you select Create New, you are automatically redirected to the New List page. You must enter a name to go to the Notification List Settings page.
Edit Modifies settings within the notification list. When you select Edit, you are automatically redirected to the Notification List Settings page.
Delete Removes a notification list from the list on the Notification List page.

To remove multiple notification lists from within the list, on the Notification List page, in each of the rows of the notification lists you want removed, select the check box and then select Delete.

To remove all notification lists from the list, on the Notification List page, select the check box in the check box column and then select Delete.
Name The name of the MMS content checksum list that you created.
# Entries The number of checksums that are included in that content checksum list.
MMS Profiles The MMS profile or profiles that are associated with
Comments A description given to the MMS notification list.
Ref. Displays the number of times the object is referenced to other objects. For example, av_1 profile is applied to a security policy; on the Profile page (Security Profiles > Antivirus > Profiles), 1 appears in Ref. .

To view the location of the referenced object, select the number in Ref., and the Object Usage window appears displaying the various locations of the referenced object.

To view more information about how the object is being used, use one of the following icons that is avialable within the Object Usage window:

•  View the list page for these objects – automatically redirects you to the list page where the object is referenced at.

•  Edit this object – modifies settings within that particular setting that the object is referenced with. For example, av_1 profile is referenced with a security policy and so, when this icon is selected, the user is redirected to the Edit Policy page.

•  View the details for this object – table, similar to the log viewer table, contains information about what settings are configured within that particular setting that the object is referenced with. For example, av_1 profile is referenced with a security policy, and that security policy’s settings appear within the table.
Notification List Settings

Provides settings for configuring a notification list, which is a list of viruses and is used for scanning viruses in MMS messages. This list is called the Antivirus Notification List in an MMS profile.
Name If editing the name of a notification list, enter the new name in this field. You must select OK to save the change.
Comments If you want to enter a comment, enter the comment in the field. You must select OK to save the change.
Create New Creates a notification entry in the list. When you select Create New, you are automatically redirected to the New Entry page.
Edit Modifies settings within a notification list. When you select Edit, you are automatically redirected to the Edit Entry page.
Delete Removes a notification entry from the list on the page.

To remove multiple notification entries from within the list, on the Notification List Settings page, in each of the rows of the entries you want removed, select the check box and then select Delete.

To remove all notification entries from the list, on the Notification List Settings page, select the check box in the check box column and then select Delete.
Enable Enables a notification entry that is disabled.
Disable Disables a notification entry so that it is not active and available for use, but it is not deleted.
Remove All Entries Removes all notification entries that are listed on the Notification List Settings page.
Enable Displays whether or not the checksum is enabled.
Virus Name/Profile The name of the virus that was added to the list.
Entry Type The type of match that will be used to match the virus stated in the notification list to the actual virus that is found.
New Entry page
Virus Name/Profile Enter the virus name.
Entry Type Select the type of match that will be used to match the virus stated in the notification list to the actual virus that is found.
Enable Select to enable the virus in the list.

Message Flood

The convenience offered by MM1 and MM4 messaging can be abused by users sending spam or attempting to overload the network with an excess of messages. MMS flood prevention can help prevent this type of abuse. A message flood occurs when a single subscriber sends a volume of messages that exceed the flood threshold that you set. The threshold defines the maximum number of messages allowed, the period during which the subscriber sent messages are considered, and the length of time the sender is restricted from sending messages after a flood is detected. For example, for the first threshold you may determine that any subscriber who sends more than 100 MM1 messages in an hour (60 minutes) will have all outgoing messages blocked for 30 minutes.

Action Description
Log Add a log entry indicating that a message flood has occurred. You must also enable logging for MMS Scanning > Bulk Messages in the Logging section of the MMS protection profile.
DLP Archive Save the first message to exceed the flood threshold, or all the messages that exceed the flood threshold, in the DLP archive. DLP archiving flood messages may not always produce useful results. Since different messages can be causing the flood, reviewing the archived messages may not be a good indication of what is causing the problem since the messages could be completely random.
  All messages All the messages that exceed the flood threshold will be saved in the DLP archive.
First message only Save only the first message to exceed the flood threshold in the DLP archive. Other messages in the flood are not saved. For message floods this may not produce much useful information since a legitimate message could trigger the flood threshold.
Intercept Messages that exceed the flood threshold are passed to the recipients, but if quarantine is enabled for intercepted messages, a copy of each message will also quarantined for later examination. If the quarantine of intercepted messages is disabled, the Intercept action has no effect.
Block Messages that exceed the flood threshold are blocked and will not be delivered to the message recipients. If quarantine is enabled for blocked messages, a copy of each message will quarantined for later examination.
Alert Notification If the flood threshold is exceeded, the Carrier-enabled FortiGate unit will send an MMS flood notification message.

In the web-based manager when Alert Notification is selected it displays the fields to configure the notification.

Flood protection for MM1 messages prevents your subscribers from sending too many messages to your MMSC. Configuring flood protection for MM4 messages prevents another service provider from sending too many messages from the same subscriber to your MMSC.

Message flood configuration settings

The following are message flood configuration settings in Security Profiles > Carrier > Message Flood.

Message Flood

Lists the large amount of messages that are being sent to you from outside sources.
Delete Removes messages from the list.

To remove multiple messages from within the list, on the Message Flood page, in each row of the messages you want removed, select the check box and then select Delete.

To remove all messages from the list, on the Message Flood page, select the check box in the check box column and then select Delete.
Remove All Entries Removes all messages from the list.
Protocol The protocol used.
MMS Profile The MMS profile that is used.
Sender The sender’s email address.
Level The level of severity of the message.
Count The count column can be up or down and these settings can be turned off by selecting beside the column’s name.
Window Size (minutes) The time in minutes.
Timer (minutes:seconds) The time in seconds and in minutes. The timer column can be up or down and these settings turned off by selecting beside the column’s name.
Page Controls Use to navigate through the list.

Duplicate Message

Duplicate message protection for MM1 messages prevents multiple subscribers from sending duplicate messages to your MMSC. Duplicate message protection for MM4 messages prevents another service provider from sending duplicate messages from the same subscriber to your MMSC.

The unit keeps track of the sent messages. If the same message appears more often than the threshold value that you have configured, action is taken. Possible actions are logging the duplicate messages, blocking or intercepting them, archiving, and sending an alert to inform an administrator that duplicate messages are occurring.

Duplicate message configuration settings

View duplicate messages in Security Profiles > Carrier > Duplicate Message.

Duplicate Message

Lists duplicates of messages that were sent to you.
Delete Removes a message from the list.

To remove multiple duplicate messages from within the list, on the Message Flood page, in each row of the messages you want removed, select the check box and then select Delete.

To remove all duplicate messages from the list, on the Message Flood page, select the check box in the check box column and then select Delete.
Page Controls Use to navigate through the list.
Remove All Entries Removes all duplicate messages from the list.
Protocol Either MM1 or MM4
Profile The MMS profile that logs the detection.
Checksum The checksum of the MMS message.
Status Either flagged or blank. Flagged means that the actions defined in the MMS profile are taken. For more information, see “MMS bulk email filtering options”.
Count Displays the number of messages in the last window of time.
Window Size (minutes) The period of time during which a message flood will be detected if the Message Flood Limit is exceeded.
Timer (minutes:seconds) Either the time left in the window if the message is unflagged, or the time until the message will be unflagged if it is already flagged.

Carrier Endpoint Filter Lists

A carrier endpoint filter list contains carrier endpoint patterns. A pattern can match one carrier endpoint or can use wildcards or regular expressions to match multiple carrier endpoints. For each pattern, you select the action that the unit takes on a message when the pattern matches a carrier endpoint in the message. Actions include blocking the message, exempting the message from MMS scanning, and exempting the message from all scanning. You can also configure the pattern to intercept the message and content archive the message to a FortiAnalyzer unit.

Carrier endpoint filter lists configuration settings

The following are Carrier endpoint filter list configuration settings in Security Profiles > Carrier Endpoint Filter Lists.

Carrier Endpoint Filter Lists

Lists all the endpoint filters that you created. On this page, you can edit, delete or create a new endpoint filter list.
Create New Creates a new endpoint filter list. When you select Create New, you are automatically redirected to the New List page. You must enter a name to go to the Carrier Endpoint Filter Lists Settings page.
Edit Modifies settings within an endpoint filter list in the list.
Delete Removes an endpoint filter in the list.

To remove multiple endpoint filter lists from within the list, on the Carrier Endpoint Filter List page, in each of the rows of the endpoint filter lists you want removed, select the check box and then select Delete.

To remove all endpoint filter lists from the list, on the Carrier Endpoint Filter List page, select the check box in the check box column and then select Delete.
Name The name of the endpoint filter.
# Entries The number of carrier endpoint patterns in each carrier endpoint filter list.
MMS Profiles The MMS profile that the carrier endpoint filter list is added to.
Comments A description about the endpoint filter.
Ref. Displays the number of times the object is referenced to other objects. For example, av_1 profile is applied to a security policy; on the Profile page (Security Profiles > Antivirus > Profiles), 1 appears in Ref. .

To view the location of the referenced object, select the number in Ref., and the Object Usage window appears displaying the various locations of the referenced object.

To view more information about how the object is being used, use one of the following icons that is avialable within the Object Usage window:

•  View the list page for these objects – automatically redirects you to the list page where the object is referenced at.

•  Edit this object – modifies settings within that particular setting that the object is referenced with. For example, av_1 profile is referenced with a security policy and so, when this icon is selected, the user is redirected to the Edit Policy page.

•  View the details for this object – table, similar to the log viewer table, contains information about what settings are configured within that particular setting that the object is referenced with. For example, av_1 profile is referenced with a security policy, and that security policy’s settings appear within the table.
Carrier Endpoint Filter Lists Settings

Provides settings for configuring an endpoint filter.
Name The name you entered on the New List page, after selecting Create New on the Carrier Endpoint Filter page.
Comments A description about the endpoint filter. You can add one here if you did not enter one on the New List page.
Create New Creates a new endpoint filter list. When you select Create New, you are automatically redirected to the New Entry page.
Edit Select to modify the settings of a pattern in the list.
Delete Select to remove a pattern in the list.
Enable Enables a disabled pattern in the list.
Disable Disables a pattern in the list.
Remove All Entries Removes all patterns in the list on the Carrier Endpoint Filter Lists Settings page.
Enable Indicates whether or not the pattern is enabled.
Pattern Enter or change the pattern that FortiOS Carrier uses to match with carrier endpoints. The pattern can be a single carrier endpoint or consist of wildcards or Perl regular expressions that will match more than one carrier endpoint. Set Pattern Type to correspond to the pattern that you want to use.
Action Select the action taken by FortiOS Carrier for messages from a carrier endpoint that matches the carrier endpoint pattern:
Pattern Type The type of pattern chosen.
New Entry page
Pattern Enter or change the pattern that FortiOS Carrier uses to match with carrier endpoints. The pattern can be a single carrier endpoint or consist of wildcards or Perl regular expressions that will match more than one carrier endpoint. Set Pattern Type to correspond to the pattern that you want to use.
Action(s) Select the action taken by FortiOS Carrier for messages from a carrier endpoint that matches the carrier endpoint pattern:
  Content Archive MMS messages from the carrier endpoint are delivered, the message content is DLP archived according to MMS DLP archive settings. Content archiving is also called DLP archiving.
  Intercept MMS messages from the carrier endpoint are delivered. Based on the quarantine configuration, attached files may be removed and quarantined.
Pattern Type Select a pattern type as one of Single Carrier Endpoint, Wildcard or Regular Expression.

Wildcard and Regular Expression will match multiple patterns where Signle Carrier Endpoint matches only one.
Enable Select to enable this carrier endpoint filter pattern.

GTP Profile

You can configure multiple GTP profiles within the GTP menu. GTP profiles concern GTP activity flowing through the unit. These GTP profiles are then applied to a security policy.

GTP profile configuration settings

The following are GTP profile configuration settings in Security Profiles > GTP Profile.

GTP Profile

Lists each GTP profile that you have created. On this page, you can edit, delete or create a new GTP profile.
Create New Creates a new GTP profile. When you select Create New, you are automatically redirected to the New page.
Edit Modifies settings within a GTP profile in the list. When you select Edit, you are automatically redirected to Edit page.
Delete Removes a GTP profile from the list.

To remove multiple GTP profiles from within the list, on the GTP Profile page, in each of the rows of the profiles you want removed, select the check box and then select Delete.

To remove all GTP profiles from within the list, on the GTP Profile page, select the check box in the check box column and then select Delete.
Name The name of the GTP profile.
Ref. Displays the number of times the object is referenced to other objects. For example, av_1 profile is applied to a security policy; on the Profile page (Security Profiles > Antivirus > Profiles), 1 appears in Ref. .

To view the location of the referenced object, select the number in Ref., and the Object Usage window appears displaying the various locations of the referenced object.

To view more information about how the object is being used, use one of the following icons that is avialable within the Object Usage window:

•  View the list page for these objects – automatically redirects you to the list page where the object is referenced at.

•  Edit this object – modifies settings within that particular setting that the object is referenced with. For example, av_1 profile is referenced with a security policy and so, when this icon is selected, the user is redirected to the Edit Policy page.

•  View the details for this object – table, similar to the log viewer table, contains information about what settings are configured within that particular setting that the object is referenced with. For example, av_1 profile is referenced with a security policy, and that security policy’s settings appear within the table.
New GTP Profile

Provides settings for configuring a GTP profile.
Name Enter a name for the GTP profile.
General Settings Configure general options for the GTP profile..
Message Type Filtering Configure filtering for messages.
APN Filtering Configure filtering options for APN.
IMSI Filtering Configure filtering options for IMSI.
Advanced Filtering Configure advanced filtering options.
IE removal policy Configure IE removal policy options.
Encapsulated IP Traffic Filtering Configure filtering options for encapsulated IP traffic.
Encapsulated Non-IP End User Address Filtering Configure filtering options for encapsulated non-IP end user addresses.
Protocol Anomaly Configure protocol anomaly options.
Anti-Overbilling Configure anti-overbilling options.
Log Configure log options.

General settings options

The following are mostly house keeping options that appear in the General Settings area of the GTP configuration page.

General Settings section of the New GTP Profile
Sequence Number Validation Enable to check that packets are not duplicated or out of order. GTP packets contain a Sequence Number field.

This number tells the receiving GGSN the order of the packets it is receiving. Normally the GGSN compares this sequence number in the packets with its own sequence counter — if the two do not match, the packet is dropped. This sequence number validation can be off-loaded to the FortiOS Carrier freeing up resources on the GGSN.
GTP-in-GTP Select Allow to enable GTP packets to be allowed to contain GTP packets, or a GTP tunnel inside another GTP tunnel.

To block all GTP-in-GTP packets, select Deny.
Minimum Message Length Enter the shortest possible message length in bytes. Normally this is controlled by the protocol, and will vary for different message types. If a packet is smaller than this limit, it is discarded as it is likely malformed and a potential security risk.

The default minimum message length is 0 bytes.
Maximum Message Length Enter the maximum allowed length of a GTP packet in bytes.

A GTP packet contains three headers and corresponding parts GTP, UDP, and IP. If a packet is larger than the maximum transmission unit (MTU) size, it is fragmented to be delivered in multiple packets. This is inefficient, resource intensive, and may cause problems with some applications.

By default the maximum message length is 1452 bytes.
Tunnel Limit Enter the maximum number of tunnels allowed open at one time. For additional GTP tunnels to be opened, existing tunnels must first be closed.

This feature can help prevent a form of denial of service attack on your network. This attack involves opening more tunnels than the network can handle and consuming all the network resources doing so. By limiting the number of tunnels at any one time, this form of attack will be avoided.

The tunnel limiting applies to the Handover Group, and Authorized SGSNs and GGSNs.
Tunnel Timeout Enter the maximum number of seconds that a GTP tunnel is allowed to remain active. After the timeout the unit deletes GTP tunnels that have stopped processing data. A GTP tunnel may hang for various reasons. For example, during the GTP tunnel tear-down stage, the "delete pdap context response" message may get lost. By setting a timeout value, you can configure the FortiOS Carrier firewall to remove the hanging tunnels.

The default is 86400 seconds, or 24 hours.
Control plane message rate limit Enter the number of packets per second to limit the traffic rate to protect the GSNs from possible Denial of Service (DoS) attacks. The default limit of 0 does not limit the message rate.

GTP DoS attacks can include:

•  Border gateway bandwidth saturation: A malicious operator can connect to your GRX and generate high traffic towards your Border Gateway to consume all the bandwidth.

•  GTP flood: A GSN can be flooded by illegitimate traffic
Handover Group Select the allowed list of IP addresses allowed to take over a GTP session when the mobile device moves locations.

Handover is a fundamental feature of GPRS/UMTS, which enables subscribers to seamlessly move from one area of coverage to another with no interruption of active sessions. Session hijacking can come from the SGSN or the GGSN, where a fraudulent GSN can intercept another GSN and redirect traffic to it. This can be exploited to hijack GTP tunnels or cause a denial of service.

When the handover group is defined it acts like a whitelist with an implicit default deny at the end — the GTP address must be in the group or the GTP message will be blocked. This stops handover requests from untrusted GSNs.
Authorized SGSNs Use Authorized SGSNs to only allow authorized SGSNs to send packets through the unit and to block unauthorized SGSNs. Go to Firewall Objects > Address > Addresses and add the IP addresses of the authorized SGSNs to a firewall address or address group. Then set Authorized SGSNs to this firewall address or address group.

You can use Authorized SGSNs to allow packets from SGSNs that have a roaming agreement with your organization.
Authorized GGSNs Use Authorized GGSNs to only allow authorized GGSNs to send packets through the unit and to block unauthorized GGSNs. Go to Firewall Objects > Address > Addresses and add the IP addresses of the authorized GGSNs to a firewall address or address group. Then set Authorized GGSNs to this firewall address or address group.

You can use Authorized GGSNs to allow packets from SGSNs that have a roaming agreement with your organization.

Message type filtering options

On the New GTP Profile page, you can select to allow or deny the different types of GTP messages, which is referred to as message type filtering. You must expand the Message Type Filtering section to access the settings.

The messages types include Path Management, Tunnel Management, Location Management, Mobility Management, MBMS, and GTP-U and Charging Management messages.

caution icon For enhanced security, Fortinet best practices dictate that you set Unknown Message Action to deny. This will block all unknown GTP message types, some of which may be malicious.

To configure message type filter options, expand Message Type Filtering in the GTP profile.

APN filtering options

An Access Point Name (APN) is an Information Element (IE) included in the header of a GTP packet. It provides information on how to reach a network.

An APN has the following format:

<network_id>[.mnc<mnc_int>.mcc<mcc_int>.gprs]

Where:

  • <network_id> is a network identifier or name that identifies the name of a network, for example, example.com or internet.
  • [.mnc<mnc_int>.mcc<mcc_int>.gprs] is the optional operator identifier that uniquely identifies the operator’s PLMN, for example mnc123.mcc456.gprs.

Combining these two examples results in a complete APN of internet.mnc123.mcc456.gprs.

By default, the unit permits all APNs. However, you can configure APN filtering to restrict roaming subscribers' access to external networks.

APN filtering applies only to the GTP create pdp request messages. The unit inspects GTP packets for both APN and selected modes. If both parameters match and APN filter entry, the unit applies the filter to the traffic.

Additionally, the unit can filter GTP packets based on the combination of an IMSI prefix and an APN.

caution icon You cannot add an APN when creating a new profile.
APN Filtering
Enable APN Filter Select to enable APN filtering.
Default APN Action Select the default action for APN filtering. If you select Allow, all sessions are allowed except those blocked by individual APN filters. If you select Deny, all sessions are blocked except those allowed by individual APN filters.
Value The APN to be filtered.
Mode The type of mode chosen that indicates where the APN originated and whether the Home Location Register (HLR) has verified the user subscription:
Action The type of action that will be taken.
Edit Modifies the settings within the filter. When you select Edit, the Edit window appears, which allows you to modify the settings of the APN.
Delete Removes the APN from the list within the table, in the APN Filtering section.
Add APN Adds a new APN filter to the list. When you select Add APN, the New window appears, which allows you to configure the APN settings.
New APN page
Value Enter an APN to be filtered. You can include wild cards to match multiple APNs. For example, the value internet* would match all APNs that being with internet.
Mode Select one or more of the available modes to indicate where the APN originated and whether the Home Location Register (HLR) has verified the user subscription.
  Mobile Station provided MS-provided APN, subscription not verified, indicates that the mobile station (MS) provided the APN and that the HLR did not verify the user's subscription to the network.
  Network provided Network-provided APN, subscription not verified, indicates that the network provided a default APN because the MS did not specify one, and that the HLR did not verify the user's subscription to the network.
  Subscription Verified MS or Network-provided APN, subscription verified, indicates that the MS or the network provided the APN and that the HLR verified the user's subscription to the network
Action Select Allow or Deny.

Basic filtering options

The International Mobile Station Identity (IMSI) is used by a GPRS Support Node (GSN) to identify a mobile station. Three elements make up every IMSI:

  • the mobile country code (MCC)
  • the mobile network code (MNC)
  • the mobile subscriber identification number (MSIN).

The subscriber's home network—the public land mobile network (PLMN)—is identified by the IMSI prefix, formed by combining the MCC and MNC.

By default, the unit allows all IMSIs. You can add IMSI prefixes to deny GTP traffic coming from non-roaming partners. Any GTP packets with IMSI prefixes not matching the prefixes you set will be dropped. GTP Create pdp request messages are filtered and only IMSI prefixes matching the ones you set are permitted. Each GTP profile can have up to 1000 IMSI prefixes set.

An IMSI prefix and an APN can be used together to filter GTP packets if you set an IMSI filter entry with a non-empty APN.

note icon You cannot add an IMSI when creating a new profile. You must add it after the profile has been created and you are editing the profile.
IMSI Filtering section of the New GTP Profile
Enable IMSI Filter Select to enable IMSI filtering.
Default IMSI Action Select the default action for IMSI filtering. If you select Allow, all sessions are allowed except those blocked by individual IMSI filters. If you select Deny, all sessions are blocked except those allowed by individual IMSI filters.
APN The APN that is part of the IMSI that will be filtered.
MCC-MNC The MCC-MNC part of the IMSI that will be filtered.
Mode The type of mode that indicates where the APN originated and whether the Home Location Register (HLR) has verified the user subscription.
Action The type of action that will be taken.
Edit Modifies settings to an IMSI filter. When you select Edit, the Edit window appears, which allows you to modify the IMSI filter’s settings.
Delete Removes an IMSI filter from within the table, in the IMSI Filtering section.
Add IMSI Adds a new IMSI filter to the list. When you select Add IMSI, the New window appears, which allows you to configure IMSI filter settings.
New IMSI page
APN Enter the APN part of the IMSI to be filtered.
MCC-MNC Enter the MCC-MCC part of the IMSI to be filtered.
Mode Select one or more of the available modes to indicate where the APN originated and whether the Home Location Register (HLR) has verified the user subscription.
  Mobile Station provided MS-provided APN, subscription not verified, indicates that the mobile station (MS) provided the APN and that the HLR did not verify the user's subscription to the network.
  Network provided Network-provided APN, subscription not verified, indicates that the network provided a default APN because the MS did not specify one, and that the HLR did not verify the user's subscription to the network.
  Subscription Verified MS or Network-provided APN, subscription verified, indicates that the MS or the network provided the APN and that the HLR verified the user's subscription to the network
Action Select Allow or Deny.

Advanced filtering options

The FortiOS Carrier firewall supports advanced filtering against the attributes RAT, RAI, ULI, APN restriction, and IMEI-SV in GTP to block specific harmful GPRS traffic and GPRS roaming traffic. The following table shows some of the GTP context requests and responses that the firewall supports.

Attributes supported by FortiCarrier firewalls
  GTP Create PDP Context Request GTP Create PDP Context Response GTP Update PDP Context Request GTP Update PDP
Context Response
APN yes yes -  
APN Restriction yes - - yes
IMEI-SV yes - - -
IMSI yes - yes -
RAI yes - yes -
RAT yes - yes -
ULI yes - yes -

When editing a GTP profile, select Advanced Filtering > Add to create and add a rule. When the rule matches traffic it will either allow or deny that traffic as selected in the rule.

Advanced Filtering
Enable Select to enable advanced filtering.
Default Action Select the default action for advanced filtering. If you select Allow, all sessions are allowed except those blocked by individual advanced filters. If you select Deny, all sessions are blocked except those allowed by individual advanced filters.
Messages The messages, for example, Create PDP Context Request.
APN Restriction The APN restriction.
RAT Type The RAT types associated with that filter.
ULI The ULI pattern.
RAI The RAI pattern.
IMEI The IMEI pattern.
Action The action that will be taken.
Edit Modifies the filter’s settings. When you select Edit, the Edit window appears, which allows you to modify the filter’s settings.
Delete Removes a filter from the list.
Add Adds a filter to the list. When you select Add, the New window appears, which allows you to configure settings for messages, APN, IMSI, MSISDN, RAT type, ULI, RAI, IMEI patterns as well as the type of action.
New Filtering page
Messages The PDP content messages this profile will match.
  Create PDP
Context Request
Select to allow create PDP context requests.
  Create PDP
Context Response
Select to allow create PDP context responses.
  Update PDP
Context Request
Select to allow update PDP context requests.
  Update PDP
Context Response
Select to allow update PDP context responses.
APN Enter the APN.
APN Mode Select an APN mode as one or more of

•  Mobile Station provied
•  Network provided
•  Subscription provied

This field is only available when an APN has been entered.
  Mobile Station provided MS-provided PAN, subscription not verified, indicates that the mobile station (MS) provided the APN and that the HLR did not verify the user’s subscription to the network.
  Network provided Network-provided APN, subscription not verified, indicates that the network provided a default APN because the MS did not specify one, and that the HLR did no verify the user’s subscription to the network.
  Subscription verified MS or Network-provided APN, subscription verified, indicates that the MS or the network provided the APN and that the HLR verified the user’s subscription to the network.
APN Restriction Select the type of restriction that you want. You can choose all of the types, or one of the types. You cannot choose multiple types. Types include:

•  all
•  Public-1
•  Public-2
•  Private-1
•  Private-2
IMSI Enter the IMSI.
MSISDN Enter the MSISDN.
RAT Type Optionally select the RAT type as any combination of the following:

•  Any
•  UTRAN
•  GERAN
•  Wifi
•  GAN
•  HSPA

Some RAT types are GTPv1 specific.
ULI pattern Enter the ULI pattern.
RAI pattern Enter the RAI pattern.
IMEI pattern Enter the IMEI pattern.
Action Select either Allow or Deny.

Adding an advanced filtering rule

When adding a rule, use the following formats:

  • Prefix, for example, range 31* for MCC matches MCC from 310 to 319.
  • Range, for example, range 310-319 for MCC matches MCC from 310 to 319.
  • Mobile Country Code (MCC) consists of three digits. The MCC identifies the country of domicile of the mobile subscriber.
  • Mobile Network Code (MNC) consists of two or three digits for GSM/UMTS applications. The MNC identifies the home PLMN of the mobile subscriber. The length of the MNC (two or three digits) depends on the value of the MCC. Best practices dictate not to mix two and three digit MNC codes within a single MCC area.
  • Location Area Code (LAC) is a fixed length code (of 2 octets) identifying a location area within a PLMN. This part of the location area identification can be coded using a full hexadecimal representation except for the following reserved hexadecimal values: 0000 and FFFE. These reserved values are used in some special cases when no valid LAI exists in the MS (see 3GPP TS 24.008, 3GPP TS 31.102 and 3GPP TS 51.011).
  • Routing Area Code (RAC) of a fixed length code (of 1 octet) identifies a routing area within a location.
  • CI or SAC of a fixed length of 2 octets can be coded using a full hexadecimal expression.
  • Type Allocation Code (TAC) has a length of 8 digits.
  • Serial Number (SNR) is an individual serial number identifying each equipment within each TAC. SNR has a length of 6 digits.
  • Software Version Number (SVN) identifies the software version number of the mobile equipment. SVN has a length of 2 digits.
note icon You cannot add an advanced filtering rule when creating a new profile. You must add it after the profile has been created and you are editing the profile.

Information Element (IE) removal policy options

In some roaming scenarios, the unit is installed on the border of the PLMN and the GRX. In this configuration, the unit supports information element (IE) removal policies to remove any combination of R6 IEs (RAT, RAI, ULI, IMEI-SV and APN restrictions) from the types of messages described in “Advanced filtering options”, prior to forwarding the messages to the HGGSN (proxy mode).

IE removal policy
Enable Select to enable this option.
SGSN address of message IE The firewall address or address group that contains the SGSN addresses.
IEs to be removed The IE types that will be removed. These include APN Restriction, RAT, RAI, ULI, and IMEI.
Add Adds an IE removal policy. When you select Add, the New window appears, which allows you to configure the IE policy.
Edit Modifies settings from within the IE removal policy. When you select Edit, the Edit window appears, which allows you to modify the settings within the policy.
Delete Removes the IE removal policy from the list.
New IE policy page
SGSN address Select a firewall address or address group that contains SGSN addresses.
IEs to be removed Select one or more IE types to be removed. These include APN Restriction, RAT, RAI, ULI, and IMEI.

Encapsulated IP traffic filtering options

You can use encapsulated IP traffic filtering to filter GTP sessions based on information contained in the data stream. to control data flows within your infrastructure. You can configure IP filtering rules to filter encapsulated IP traffic from mobile stations by identifying the source and destination policies. For more information, see When to use encapsulated IP traffic filtering.

Expand Encapsulated IP Traffic Filtering in the GTP profile to reveal the options.

Encapsulated IP Traffic Filtering
Enable IP Filter Select to enable encapsulated IP traffic filtering options.
Default IP Action Select the default action for encapsulated IP traffic filtering. If you select Allow, all sessions are allowed except those blocked by individual encapsulated IP traffic filters. If you select Deny, all sessions are blocked except those allowed by individual encapsulated IP traffic filters.
Source Select a source IP address from the configured firewall IP address or address group lists. Any encapsulated traffic originating from this IP address will be a match if the destination also matches.
Destination Select a destination IP address from the configured firewall IP address or address group lists. Any encapsulated traffic being sent to this IP address will be a match if the destination also matches.
Action The type of action that will be taken.

Select to Allow or Deny encapsulated traffic between this source and Destination.
Edit Modifies the source, destination or action settings.
Add IP Policy Adds a new encapsulated IP traffic filter. When you select Add IP Policy, the New window appears which allows you to configure IP policy settings.
New (window)
Source Select the source firewall address or address group.
Destination Select the destination firewall address or address group.
Action Select Allow or Deny.

Encapsulated non-IP end user traffic filtering options

Depending on the installed environment, it may be beneficial to detect GTP packets that encapsulate non-IP based protocols. You can configure the FortiOS Carrier firewall to permit a list of acceptable protocols, with all other protocols denied.

The encoded protocol is determined in the PDP Type Organization and PDP Type Number fields within the End User Address Information Element. The PDP Type Organization is a 4-bit field that determines if the protocol is part of the ETSI or IETF organizations. Values are zero and one, respectively. The PDP Type field is one byte long. Both GTP specifications list only PPP, with a PDP Type value of one, as a valid ETSI protocol. PDP Types for the IETF values are determined in the “Assigned PPP DLL Protocol Numbers” sections of RFC1700. The PDP types are compressed, meaning that the most significant byte is skipped, limiting the protocols listed from 0x00 to 0xFF.

Encapsulated Non-IP End User Address Filtering
Enable Non-IP Filter Select to enable encapsulated non-IP traffic filtering.
Default Non-IP Action Select the default action for encapsulated non-IP traffic filtering. If you select Allow, all sessions are allowed except those blocked by individual encapsulated non-IP traffic filters. If you select Deny, all sessions are blocked except those allowed by individual encapsulated non-IP traffic filters.
Type The type chosen, AESTI or IETF.
Start Protocol The beginning protocol port number range.
End Protocol The end of the protocol port number range.
Action The type of action that will be taken.
Edit Modify a non-IP filter's settings in the list. When you select Edit, the Edit window appears, which allows you to modify the Non-IP policy settings.
Delete Remove a non-IP policy from the list.
Add Non-IP Policy Add a new encapsulated non-IP traffic filter. When you select Add Non-IP Policy, you are automatically redirected to the New page.
New (window)
Type Select AESTI or IETF.
Start Protocol

End Protocol
Select a start and end protocol from the list of protocols in RFC 1700. Allowed range includes 0 to 255 (0x00 to 0xff). Some common protocols include:

•  33 (0x0021)   Internet Protocol
•  35 (0x0023)   OSI Network Layer
•  63 (0x003f)    NETBIOS Framing
•  65 (0x0041)   Cisco Systems
•  79 (0x004f)    IP6 Header Compression
•  83 (0x0053)   Encryption
Action Select Allow or Deny.

Protocol Anomaly prevention options

Use protocol anomaly detection options to detect or deny protocol anomalies according to GTP standards and tunnel state. Protocol anomaly attacks involve malformed or corrupt packets that typically fall outside of the protocol specifications. Packets cannot pass through if they fail the sanity check.

Protocol Anomaly
Invalid Reserved Field GTP version 0 (GSM 09.60) headers specify a number of fields that are marked as ''Spare” and contain all ones (1). GTP packets that have different values in these fields are flagged as anomalies. GTP version 1 (GSM 29.060) makes better use of the header space and only has one, 1-bit, reserved field. In the first octet of the GTP version1 header, bit 4 is set to zero.
Reserved IE Both versions of GTP allow up to 255 different Information Elements (IE). However, a number of Information Elements values are undefined or reserved. Packets with reserved or undefined values will be filtered.
Miss Mandatory IE GTP packets with missing mandatory Information Elements (IE) will not be passed to the GGSN.
Out of State Message The GTP protocol requires a certain level of state to be kept by both the GGSN and SGSN. Some message types can only be sent when in a specific GTP state. Packets that do not make sense in the current state are filtered or rejected

Both versions of GTP allow up to 255 different message types. However, a number of message type values are undefined or reserved.

Best practices dictate that packets with reserved or undefined values will be filtered.
Out of State IE GTP Packets with out of order Information Elements are discarded.
Spoofed Source Address The End User Address Information Element in the PDP Context Create & Response messages contain the address that the mobile station (MS) will use on the remote network. If the MS does not have an address, the SGSN will set the End User Address field to zero when sending the initial PDP Context Create message. The PDP Context Response packet from the GGSN will then contain an address to be assigned to the MS. In environments where static addresses are allowed, the MS will relay its address to the SGSN, which will include the address in the PDP Context Create Message. As the MS address is negotiated within the PDP Context creation handshake, any packets originating from the MS that contain a different source address are detected and dropped.

Anti-Overbilling options

You can configure the FortiOS Carrier firewall to prevent overbilling subscribers for traffic over the. To enable anti-overbilling, you must configure both the Gn/Gp firewall and the Gi firewall.

Expand Anti-Overbilling in the GTP profile to reveal these settings.

Anti-Overbilling
Gi Firewall IP Address The IP address of the unit’s interface configured as a Gi gateway.
Port The SG security port number. The default port number is port 21123. Change this number if your system uses a different SG port.
Interface Select the unit interface configured as a Gi gateway.
Security Context ID Enter the security context ID. This ID must match the ID entered on the server Gi firewall. The default security context ID is 696.

Log options

All the GTP logs are treated as a subtype of the event logs. To enable GTP logging, you must:

  • configure the GTP log settings in a GTP profile
  • enable GTP logging when you configure log and report settings.
To enable GTP logging after a GTP profile has been configured
  1. Go to Log & Report > Log Settings.
  2. Select Event Logging, and select GTP service event.
  3. Select Apply.
Log
Log Frequency Enter the number of messages to drop between logged messages.

An overflow of log messages can sometimes occur when logging rate-limited GTP packets exceed their defined threshold. To conserve resources on the syslog server and the Carrier-enabled FortiGate unit, you can specify that some log messages are dropped. For example, if you want only every twentieth message to be logged, set a logging frequency of 20. This way, 20 messages are skipped and the next logged.

Acceptable frequency values range from 0 to 2147483674. When set to ‘0’, no messages are skipped.
Forwarded Log Select to log forwarded GTP packets.
Denied Log Select to log GTP packets denied or blocked by this GTP profile.
Rate Limited Log Select to log rate-limited GTP packets.
State Invalid Log Select to log GTP packets that have failed stateful inspection.
Tunnel Limit Log Select to log packets dropped because the maximum limit of GTP tunnels for the destination GSN is reached.
Extension Log Select to log extended information about GTP packets. When enabled, this additional information will be included in log entries:

•  IMSI
•  MSISDN
•  APN
•  Selection Mode
•  SGSN address for signaling
•  SGSN address for user data
•  GGSN address for signaling
•  GGSN address for user data
Traffic count Log Select to log the total number of control and user data messages received from and forwarded to the GGSNs and SGSNs that the unit protects.

The unit can report the total number of user data and control messages received from and forwarded to the GGSNs and SGSNs it protects. Alternately, the total size of the user data and control messages can be reported in bytes. The unit differentiates between traffic carried by each GTP tunnel, and also between GTP-User and GTP-Control messages.

The number of messages or the number of bytes of data received from and forwarded to the SGSN or GGSN are totaled and logged if a tunnel is deleted.

When a tunnel is deleted, the log entry contains:

•  Timestamp
•  Interface name (if applicable)
•  SGSN IP address
•  GGSN IP address
•  TID
•  Tunnel duration time in seconds
•  Number of messages sent to the SGSN
•  Number of messages sent to the GGSN

Specifying logging types

You can configure the unit to log GTP packets based on their status with GTP traffic logging.

The status of a GTP packet can be any of the following 5 states:

  • Forwarded - a packet that the unit transmits because the GTP policy allows it
  • Prohibited - a packet that the unit drops because the GTP policy denies it
  • Rate-limited - a packet that the unit drops because it exceeds the maximum rate limit of the destination GSN
  • State-invalid - a packet that the unit drops because it failed stateful inspection
  • Tunnel-limited - a packet that the unit drops because the maximum limit of GTP tunnels for the destination GSN is reached.

The following information is contained in each log entry:

  • Timestamp
  • Source IP address
  • Destination IP address
  • Tunnel Identifier (TID) or Tunnel Endpoint Identifier (TEID)
  • Message type
  • Packet status: forwarded, prohibited, state-invalid, rate-limited, or tunnel-limited
  • Virtual domain ID or name
  • Reason to be denied if applicable.