firewall : gtp
 
gtp
Use this command to configure GTP profiles. This command is FortiOS Carrier only.
Syntax
config firewall gtp
edit <name_str>
config apn
edit index_int
set action {allow | deny}
set selection-mode {ms net vrf}
set value <networkid_str>
end
config ie-remove-policy
edit <index_int>
set remove-ies {apn‑restriction rat-type rai uli imei}
set sgsn-addr <addr/group_str>
end
config ie-validation
set apn-restriction {disable | enable}
set charging-ID {disable | enable}
set charging-gateway-addr {disable | enable}
set end-user-addr {disable | enable}
set gsn-addr {disable | enable}
set imei {disable | enable}
set imsi {disable | enable}
set mm-context {disable | enable}
set ms-tzone {disable | enable}
set ms-validated {disable | enable}
set msisdn {disable | enable}
set nsapi {disable | enable}
set pdp-context {disable | enable}
set qos-profile {disable | enable}
set rai {disable | enable}
set rat-type {disable | enable}
set reordering-required {disable | enable}
set selection-mode {disable | enable}
set uli {disable | enable}
end
config imsi
edit <index_int>
set action {allow | deny}
set apn <networkid_str>
set mcc-mnc <mccmnc_str>
set selection-mode {ms net vrf}
end
config ip-policy
edit <index_int>
set action {allow | deny}
set dstaddr <address_str>
set srcaddr <address_str>
end
config message-filter
edit <index_int>
set create-aa-pdp {allow | deny}
set create-mbms {allow | deny}
set create-pdp {allow | deny}
set data-record {allow | deny}
set delete-aa-pdp {allow | deny}
set delete-mbms {allow | deny}
set delete-pdp {allow | deny}
set echo {allow | deny}
set error-indication {allow | deny}
set failure-report {allow | deny}
set fwd-relocation {allow | deny}
set fwd-srns-context {allow | deny}
set gtp-pdu {allow | deny}
set identification {allow | deny}
set mbms-notification {allow | deny}
set node-alive {allow | deny}
set note-ms-present {allow | deny}
set pdu-notification {allow | deny}
set ran-info {allow | deny}
set redirection {allow | deny}
set relocation-cancel {allow | deny}
set send-route {allow | deny}
set sgsn-context {allow | deny}
set support-extension {allow | deny}
set unknown-message-action {allow | deny}
set update-mbms {allow | deny}
set update-pdp {allow | deny}
set version-not-support {allow | deny}
end
config message-rate-limit
edit <index_int>
set
set
set
end
config noip-policy
edit <index_int>
set action {allow | deny}
set start <protocol_int>
set end <protocol_int>
set type {etsi | ietf}
end
config policy
edit <index_int>
set action {allow | deny}
set apn <apn_str>
set imei <imei_str>
set imsi <imsi_str>
set max-apn-restriction {all | private-1 | private-2 | public-1 | public-2}
set messages {create‑req create‑res update‑req update‑res}
set rai <rai_str>
set rat-type {any geran utran wlan}
set uli <uli_str>
end
set addr-notify <Gi_ipv4>
set apn-filter {enable | disable}
set authorized-sgsns <addr/grp_str>
set context-id <id_int>
set control-plane-message-rate-limit <limit_int>
set create-aa-pdp {allow | deny}
set create-pdp {allow | deny}
set data-record {allow | deny}
set default-apn-action {allow | deny}
set default-imsi-action {allow | deny}
set default-ip-action {allow | deny}
set default-noip-action {allow | deny}
set default-policy-action {allow | deny}
set delete-aa-pdp {allow | deny}
set delete-pdp {allow | deny}
set denied-log {enable | disable}
set echo {allow | deny}
set error-indication {allow | deny}
set extension-log {enable | disable}
set failure-report {allow | deny}
set forwarded-log {enable | disable}
set fwd-relocation {allow | deny}
set fwd-srns-context {allow | deny}
set gtpu-denied-log {enable | disable}
set gtpu-forwarded-log {enable | disable}
set gtp-in-gtp {allow | deny}
set gtpu-log-freq <packets_int>
set gtp-pdu {allow | deny}
set handover-group <group_name>
set identification {allow | deny}
set ie-remover {enable | disable}
set imsi-filter {enable | disable}
set interface-notify <interface_str>
set invalid-reserved-field {allow | deny}
set ip-filter {enable | disable}
set log-freq <drop_int>
set max-message-length <bytes_int>
set min-message-length <bytes_int>
set miss-must-ie {allow | deny}
set node-alive {allow | deny}
set noip-filter {enable | disable}
set note-ms-present {allow | deny}
set out-of-state-ie {allow | deny}
set out-of-state-message {allow | deny}
set pdu-notification {allow | deny}
set policy-filter {enable | disable}
set port-notify <port_int>
set ran-info {allow | deny}
set rate-limited-log {enable | disable}
set redirection {allow | deny}
set relocation-cancel {allow | deny}
set reserved-ie {allow | deny}
set send-route {allow | deny}
set seq-number-validate {enable | disable}
set sgsn-context {allow | deny}
set spoof-src-addr {allow | deny}
set state-invalid-log {enable | disable}
set support-extension {allow | deny}
set traffic-count-log {enable | disable}
set tunnel-limit <limit_int>
set tunnel-limit-log {enable | disable}
set tunnel-timeout <time_int>
set unknown-message-action {allow | deny}
set unknown-version-action {allow | deny}
set update-pdp {allow | deny}
set version-not-support {allow | deny}
end
Variable
Description
Default
<name_str>
Enter the name of this GTP profile.
No default.
apn
The following commands are the options for config apn.
index_int
Enter the unique ID number of the APN filter profile.
No default.
action {allow | deny}
Select to allow or deny traffic matching both the APN and Selection Mode specified for this APN filter profile.
allow
selection-mode {ms net vrf}
Select the selection mode or modes required for the APN. The selection mode indicates where the APN originated and whether the Home Location Register (HLR) has verified the user subscription.
Enter ms to specify a mobile station provided APN, subscription not verified. This Selection Mode indicates that the mobile station (MS) provided the APN and that the HLR did not verify the user's subscription to the network.
Enter net to specify a network-provided APN, subscription not verified. This Selection Mode indicates that the network provided a default APN because the MS did not specify one, and that the HLR did not verify the user's subscription to the network.
Enter vrf to specify a mobile station or network-provided APN, subscription verified. This Selection Mode indicates that the MS or the network provided the APN and that the HLR verified the user's subscription to the network.
ms net vrf
value <networkid_str>
Enter the network ID and operator ID of the APN.
No default.
ie-remove-policy
The following commands are the set options for config ie-remove-policy.
<index_int>
Enter the unique ID number of the IE removal policy.
No default.
remove-ies {apn‑restriction rat-type rai uli imei}
Select the information elements to be removed from messages prior to being forwarding to the HGGSN. Any combination of R6 information elements (RAT, RAI, ULI, IMEI-SV and APN restrictions) may be specified.
apn-restriction rat-type rai uli imei
sgsn-addr <addr/group_str>
Enter an SGSN address or group the IE removal policy will be applied to.
all
ie-validation
The following commands allow validating specific parts of the IE
apn-restriction {disable | enable}
Enable to restrict the Access Point Number (APN).
Restricting the APN limits the IP packet data networks that can be associated with the GTP tunnel.
disable
charging-ID {disable | enable}
Enable to validate the charging ID in the IE.
disable
charging-gateway-addr {disable | enable}
Enable to validate the charging gateway address.
disable
end-user-addr {disable | enable}
Enable to validate the end user address.
disable
gsn-addr {disable | enable}
Enable to validate the GSN address.
disable
imei {disable | enable}
Enable to validate the IMEI (SV).
disable
imsi {disable | enable}
Enable to validate the IMSI.
disable
mm-context {disable | enable}
Enable to validate the MM context.
disable
ms-tzone {disable | enable}
Enable to validate the mobile station (MS) timezone.
disable
ms-validated {disable | enable}
Enable to validate the MS.
disable
msisdn {disable | enable}
Enable to validate the MSISDN.
disable
nsapi {disable | enable}
Enable to validate the NSAPI.
disable
pdp-context {disable | enable}
Enable to validate the PDP context.
disable
qos-profile {disable | enable}
Enable to validate the Quality of Service (QoS).
disable
rai {disable | enable}
Enable to validate the RAI.
disable
rat-type {disable | enable}
Enable to validate the RAT type.
disable
reordering-required {disable | enable}
Enable to validate the required reordering.
disable
selection-mode {disable | enable}
Enable to validate the selection mode.
disable
uli {disable | enable}
Enable to validate the User Location Information (ULI).
disable
imsi
The following commands are the options for config imsi.
<index_int>
Enter the unique ID number of the IMSI filtering policy.
disable
action {allow | deny}
Select to allow or deny traffic matching both the APN and Selection Mode specified for this APN filter profile
allow
apn <networkid_str>
Enter the network ID and operator ID of the APN.
No default.
mcc-mnc <mccmnc_str>
Enter the MCC and MNC.
No default.
selection-mode {ms net vrf}
Select the selection mode or modes. The selection mode indicates where the APN originated and whether the Home Location Register (HLR) has verified the user subscription.
Enter ms to specify a mobile station provided APN, subscription not verified. This Selection Mode indicates that the mobile station (MS) provided the APN and that the HLR did not verify the user's subscription to the network.
Enter net to specify a network-provided APN, subscription not verified. This Selection Mode indicates that the network provided a default APN because the MS did not specify one, and that the HLR did not verify the user's subscription to the network.
Enter vrf to specify a mobile station or network-provided APN, subscription verified. This Selection Mode indicates that the MS or the network provided the APN and that the HLR verified the user's subscription to the network.
ms net vrf
ip-policy
The following commands are the options for config ip-policy.
<index_int>
Enter the unique ID number of the encapsulated IP traffic filtering policy.
No default.
action {allow | deny}
Select to allow or deny traffic matching both the source and destination addresses specified for this APN filter profile
allow
dstaddr <address_str>
Enter the name of a destination address or address group.
No default.
srcaddr <address_str>
Enter the name of a source address or address group.
No default.
message-filter
The following tunnel management messages are used to create, update and delete tunnels used to route tunneled PDUs between a MS and a PDN via SGSN and GGSN.
create-aa-pdp {allow | deny}
Allow Anonymous Access Packet Data Protocol (AA PDP) tunnel management messages.
These messages are used to create a tunnel between a context in the SGSN and context GGSN.
allow
create-mbms {allow | deny}
Allow Multimedia Broadcast Multicast Service (MBMS) create messages. These messages occur when a GTP-U tunnel is setup for a multicast flow.
allow
create-pdp {allow | deny}
Allow create PDP context tunnel management messages.
SEnt from a SGSN to a GGSN node as part of the GPRS PDP Context Activation procedure
allow
data-record {allow | deny}
Allow data record messages.
Data record messages are used to reliably transport CDRs from the point of generation (SGSN/GGSN) to non-volatile storage in the CGF
allow
delete-aa-pdp {allow | deny}
Allow Anonymous Access (AA) PDP context tunnel management messages.
These messages are sent between the SGSN and GGSN as part of the AA PDP context deactivation procedure.
allow
delete-mbms {allow | deny}
Allow delete MBMS messages.
These messages are part of the request to deactivate the MBMS context. When the response is received, the MBMS context will be inactive.
allow
delete-pdp {allow | deny}
Allow delete PDP context tunnel management message.
Messages are sent as part of the GPRS Detach Procedure to deactivate an activated PDP Context.
allow
echo {allow | deny}
Allow Echo path management messages.
These messages are sent to a GSN peer to see if it is alive.
allow
error-indication {allow | deny}
Allow error indication message.
These messages are sent to the GGSN when a tunnel PDU is received when
no PDP context exists
PDP context is inactive
no MM context exists
GGSN deletes its PDP context when the message is received
allow
failure-report {allow | deny}
Allow failure report messages.
The GGSN sends the failure report request, and the GSN sends the response. Causes for the failure can include:
request accepted
no resources available
service not supported
system failure
mandatory IE incorrect
mandatory IE missing
optional IE incorrect
invalid message format
version not supported
allow
fwd-relocation {allow | deny}
Allow forward relocation mobility management messages.
These messages indicate mobile activation/deactivation within a Routing Area. This prevents paging of a mobile device that is not active (visited VLR rejects calls from the HLR or applies Call Forwarding). Note that the mobile station does not maintain an attach/detach state.
SRNS contexts contain for each concerned RAB the sequence numbers of the GTP-PDUs next to be transmitted in uplink and downlink directions.
allow
fwd-srns-context {allow | deny}
Allow forward SRNS context mobility management messages.
This procedure may be used to trigger the transfer of SRNS contexts from RNC to CN (PS domain) in case of inter system forward handover.
allow
gtp-pdu {allow | deny}
Allow GPRS Packet data unit delivery management messages.
allow
identification {allow | deny}
Allow identification mobility management messages.
If the mobile station (MS) identifies itself at GPRS attach, and the SGSN has changed since the detach, the new SGSN will send an identification message to the old SGSN to get the IMSI.
allow
mbms-notification {allow | deny}
Allow MBMS notification MBMS messages.
These are used for the notification of the radio access devices.
allow
node-alive {allow | deny}
Allow node alive GTP-U messages.
This message is used to inform the rest of the network when a node starts service.
allow
note-ms-present {allow | deny}
Allow Note MS messages.
This message is sent when an MS should be reachable for GPRS.
allow
pdu-notification {allow | deny}
Allow PDU notification messages including response, request, and reject response.
These messages are sent between the GGSN and SGSN as part of the new PDP context initiation procedure.
allow
ran-info {allow | deny}
Allow Radio Access Network (RAN) information messages.
allow
redirection {allow | deny}
Allow redirection GTP-U messages.
Used to divert the flow of CDRs from the CDFs to another CGF when the sender is being removed, or they are used when the CGF has lost its connection to a downstream system.
allow
relocation-cancel {allow | deny}
Allow relocation cancel mobility messages.
Send to cancel the relocation of a connection.
allow
send-route {allow | deny}
Allow Send Routing information for GPRS messages.
This message is sent to get the IP address of the SGSN where the MS is located when there is no PDP context.
allow
sgsn-context {allow | deny}
Allow Serving GPRS Support Node (SGSN) context request, response, and acknowledge messages.
The new SGSN will send this message to the old SGSN to get the Mobility Management (MM) and PDP contexts for the MS.
allow
support-extension {allow | deny}
Allow messages about support various header extensions.
allow
unknown-message-action {allow | deny}
Allow unknown message action messages.
This message type needs to be set to deny as that will prevent malformed messages which may be attempts to hack into the network.
allow
update-mbms {allow | deny}
Allow MBMS update messages.
allow
update-pdp {allow | deny}
Allow Update PDP context tunnel management messages.
Messages sent as part of the GPRS Inter-SGSN Routing Update procedure, and is used to change the QoS and the path.
allow
version-not-support {allow | deny}
Allow version not supported path management messages.
This message indicates the more recent version of GTP that is supported.
allow
message-rate-limit
The following commands are rate limits in packets per second for various message context requests and responses. A rate of zero indicates there is no rate limiting in place.
create-aa-pdp-request
 
0
create-aa-pdp-response
 
0
create-mbms-request
 
0
create-mbms-response
 
0
create-pdp-request
 
0
create-pdp-response
 
0
delete-aa-pdp-request
 
0
delete-aa-pdp-response
 
0
delete-mbms-request
 
0
delete-mbms-response
 
0
delete-pdp-request
 
0
delete-pdp-response
 
0
echo-reponse
 
0
echo-request
 
0
error-indication
 
0
failure-report-request
 
0
failure-report-response
 
0
fwd-reloc-complete-ack
 
0
fwd-relocation-complete
 
0
fwd-relocation-request
 
0
fwd-relocation-response
 
0
fwd-srns-context
 
0
fwd-srns-context-ack
 
0
g-pdu
 
0
identification-request
 
0
identification-response
 
0
mbms-de-reg-request
 
0
mbms-de-reg-response
 
0
mbms-notify-rej-request
 
0
mbms-notify-rej-response
 
0
mbms-notify-request
 
0
mbms-notify-response
 
0
mbms-reg-request
 
0
mbms-reg-response
 
0
mbms-ses-start-request
 
0
mbms-ses-start-response
 
0
mbms-ses-stop-request
 
0
mbms-ses-stop-response
 
0
note-ms-request
note ms GPRS present request
0
note-ms-response
note ms GPRS present response
0
pdu-notify-rej-request
 
0
pdu-notify-rej-response
rate limit (packs/s) for pdu notification reject response
0
pdu-notify-request
 
0
pdu-notify-response
 
0
ran-info
RAN information relay
0
relocation-cancel-request
 
0
relocation-cancel-response
 
0
send-route-request
 
0
send-route-response
 
0
sgsn-context-ack
 
0
sgsn-context-request
 
0
sgsn-context-response
 
0
support-ext-hdr-notify
 
0
update-mbms-request
 
0
update-mbms-response
 
0
update-pdp-request
 
0
update-pdp-response
 
0
version-not-support
 
0
noip-policy
The following commands are the options for config noip-policy.
<index_int>
Enter the unique ID number of the encapsulated non-IP traffic filtering policy.
No default.
action {allow | deny}
Select to allow or deny traffic matching the message protocol specified for this APN filter profile
allow
start <protocol_int>
Enter the number of the start protocol. Acceptable rate values range from 0 to 255.
0
end <protocol_int>
Enter the number of the end protocol. Acceptable rate values range from 0 to 255.
0
type {etsi | ietf}
Select an ETSI or IETF protocol type.
etsi
policy
The following commands are the options for config policy.
<index_int>
Enter the unique ID number of the advanced filtering policy.
No default.
action {allow | deny}
Select to allow or deny traffic matching the message attributes specified for this advanced filtering policy
allow
apn <apn_str>
Enter the APN suffix, if required.
No default.
imei <imei_str>
Enter the IMEI (SV) pattern, if required.
No default.
imsi <imsi_str>
Enter the IMSI prefix, if required.
No default.
max-apn-restriction {all | private-1 | private-2 | public-1 | public-2}
Select the maximum APN restriction.
all
messages {create‑req create‑res update‑req update‑res}
Enter the type or types of GTP messages.
create-req
rai <rai_str>
Enter the Routing Area Identifier (RAI) pattern.
The RAI and ULI are commonly used to determine a mobile user’s location.
No default.
rat-type {any geran utran wlan}
Enter one or more Radio Access Technology (RAT) types.
any - accept any RAT type
geran - GSM EDGE Radio Access Network
utran - UMTS Terrestrial Radio Access Network
wlan - Wireless LAN
any
uli <uli_str>
Enter the ULI pattern.
No default.
The following commands are the options for edit <profile_str>.
addr-notify <Gi_ipv4>
Enter the IP address of the Gi firewall.
0.0.0.0
apn-filter {enable | disable}
Select to apply APN filter policies.
disable
authorized-sgsns <addr/grp_str>
Enter authorized SSGN addresses or groups. Any SSGN groups not specified will not be able to send packets to the GGSN. All firewall addresses and groups defined on the FortiGate unit are available for use with this command.
all
context-id <id_int>
Enter the security context ID. This ID must match the ID entered on the server Gi firewall.
696
control-plane-message-rate-limit <limit_int>
Enter the control plane message rate limit. Acceptable rate values range from 0 (no limiting) to 2147483674 packets per second.
FortiGate units can limit the packet rate to protect the GSNs from possible Denial of Service (DoS) attacks, such as Border gateway bandwidth saturation or a GTP flood.
0
create-aa-pdp {allow | deny}
Select to allow or deny all create AA pdp messages.
allow
create-pdp {allow | deny}
Select to allow or deny all create pdp messages.
allow
data-record {allow | deny}
Select to allow or deny all data record messages.
allow
default-apn-action {allow | deny}
Select to allow or deny any APN that is not explicitly defined with in an APN policy.
allow
default-imsi-action {allow | deny}
Select to allow or deny any IMSI that is not explicitly defined in an IMSI policy.
allow
default-ip-action {allow | deny}
Select to allow or deny any encapsulated IP address traffic that is not explicitly defined in an IP policy.
allow
default-noip-action {allow | deny}
Select to allow or deny any encapsulated non-IP protocol that is not explicitly defined in a non-IP policy.
allow
default-policy-action {allow | deny}
Select to allow or deny any traffic that is not explicitly defined in an advanced filtering policy.
allow
delete-aa-pdp {allow | deny}
Select to allow or deny all delete AA pdp messages.
allow
delete-pdp {allow | deny}
Select to allow or deny all delete pdp messages.
allow
denied-log {enable | disable}
Select to log denied GTP packets.
disable
echo {allow | deny}
Select to allow or deny all echo messages.
allow
error-indication {allow | deny}
Select to allow or deny all error indication messages.
allow
extension-log {enable | disable}
Select to log extended information about GTP packets. When enabled, this additional information will be included in log entries:
IMSI
MSISDN
APN
Selection Mode
SGSN address for signaling
SGSN address for user data
GGSN address for signaling
GGSN address for user data
disable
failure-report {allow | deny}
Select to allow or deny all failure report messages.
allow
forwarded-log {enable | disable}
Select to log forwarded GTP packets.
disable
fwd-relocation {allow | deny}
Select to allow or deny all forward relocation messages.
allow
fwd-srns-context {allow | deny}
Select to allow or deny all forward SRNS messages.
allow
gtpu-denied-log {enable | disable}
Enable or disable logging of denied GTP-U packets.
enable
gtpu-forwarded-log {enable | disable}
Enable or disable logging of forwarded GTP-U packets.
enable
gtp-in-gtp {allow | deny}
Select to allow or deny GTP packets that contains another GTP packet in its message body.
allow
gtpu-log-freq <packets_int>
Set the logging rate in packets per log entry.
5
gtp-pdu {allow | deny}
Select to allow or deny all G-PDU messages.
allow
handover-group <group_name>
Handover requests will be honored only from the addresses listed in the specified address group. This way, an untrusted GSN cannot highjack a GTP tunnel with a handover request.
No default.
identification {allow | deny}
Select to allow or deny all identification messages.
allow
ie-remover {enable | disable}
Select whether to use information element removal policies.
disable
imsi-filter {enable | disable}
Select whether to use IMSI filter policies.
disable
interface-notify <interface_str>
Enter any local interface of the FortiGate unit. The interface IP address will be used to send the “clear session” message.
 
invalid-reserved-field {allow | deny}
Select to allow or deny GTP packets with invalid reserved fields. Depending on the GTP version, a varying number of header fields are reserved and should contain specific values. If the reserved fields contain incorrect values, the packet will be blocked if this field is set to deny.
deny
ip-filter {enable | disable}
Select whether to use encapsulated IP traffic filtering policies.
disable
log-freq <drop_int>
Enter the number of messages to drop between logged messages.
An overflow of log messages can sometimes occur when logging rate-limited GTP packets exceed their defined threshold. To conserve resources on the syslog server and the FortiGate unit, you can specify that some log messages are dropped. For example, if you want only every twentieth message to be logged, set a logging frequency of 19. This way, 19 messages are skipped and the next logged.
Acceptable frequency values range from 0 to 2147483674. When set to ‘0’, no messages are skipped.
0
max-message-length <bytes_int>
Enter the maximum GTP message size, in bytes, that the FortiGate unit will allows to pass.
Acceptable values range from 0 to 2147483674 bytes. When set to ‘0’, the maximum size restriction is disabled.
1452
min-message-length <bytes_int>
Enter the minimum GTP message size, in bytes, that the FortiGate unit will allows to pass.
Acceptable values range from 0 to 2147483674 bytes. When set to ‘0’, the minimum size restriction is disabled.
0
miss-must-ie {allow | deny}
Select to allow or deny passage of GTP packets with missing mandatory information elements to the GGSN.
deny
node-alive {allow | deny}
Select to allow or deny all node alive messages.
allow
noip-filter {enable | disable}
Enable or disable the configured encapsulated non-IP traffic filtering policies.
disable
note-ms-present {allow | deny}
Select to allow or deny all note MS GPRS present messages.
allow
out-of-state-ie {allow | deny}
Select to allow or deny passage of GTP Packets with out of sequence information elements.
deny
out-of-state-message {allow | deny}
Select to allow or deny out of state messages.
The GTP protocol requires a certain state to be kept by both the GGSN and SGSN. Since the GTP has a state, some message types can only be sent when in specific states. Packets that do not make sense in the current state should be filtered or rejected
deny
pdu-notification {allow | deny}
Select to allow or deny all pdu notification messages.
allow
policy-filter {enable | disable}
Enable or disable the configured advanced filtering policies.
disable
port-notify <port_int>
Enter the server firewall’s listening port number.
21123
ran-info {allow | deny}
Select to allow or deny all RAN info relay messages.
allow
rate-limited-log {enable | disable}
Select to log rate-limited GTP packets.
disable
redirection {allow | deny}
Select to allow or deny all redirection messages.
allow
relocation-cancel {allow | deny}
Select to allow or deny all relocation cancel messages.
allow
reserved-ie {allow | deny}
Select to allow or deny GTP messages with reserved or undefined information elements.
deny
send-route {allow | deny}
Select to allow or deny all send route messages.
allow
seq-number-validate {enable | disable}
Enable or disable sequence number validation
The GTP packet header contains a sequence number. The receiving GGSN and the sending GGSN use this number to ensure the packets are in sequence. The FortiGate unit can assume this task and save GGSN resources.
disable
sgsn-context {allow | deny}
Select to allow or deny all SGSN context messages.
allow
spoof-src-addr {allow | deny}
Select to allow or deny packets containing spoofed MS addresses.
As the MS address is negotiated within the PDP Context creation handshake, any packets originating from the MS that contain a different source address will be detected and dropped if this field is set to deny.
deny
state-invalid-log {enable | disable}
Select to log GTP packets that have failed stateful inspection.
disable
support-extension {allow | deny}
Select to allow or deny all support extension messages.
allow
traffic-count-log {enable | disable}
Enable or disable logging the total number of control and user data messages received from and forwarded to the GGSNs and SGSNs the FortiGate unit protects.
disable
tunnel-limit <limit_int>
Enter the maximum number of GTP tunnels according to the GSN capacity.
0
tunnel-limit-log {enable | disable}
Select to log packets dropped because the maximum limit of GTP tunnels for the destination GSN is reached.
disable
tunnel-timeout <time_int>
Enter a tunnel timeout value, in seconds. By setting a timeout value, you can configure the FortiGate unit to remove hanging tunnels.
Acceptable values range from 0 to 2147483674 seconds. When set to ‘0’, the timeout is disabled.
86400
unknown-message-action {allow | deny}
Select to allow or deny all unknown message types.
allow
unknown-version-action {allow | deny}
Select to allow or deny traffic with GTP version higher than 1.
allow
update-pdp {allow | deny}
Select to allow or deny all update pdp messages.
allow
version-not-support {allow | deny}
Select to allow or deny all version not supported messages.
allow