Chapter 4 FortiOS Carrier : GTP identity filtering : Configuring advanced filtering in FortiOS Carrier
  
Configuring advanced filtering in FortiOS Carrier
Compared to ADN or IMSI filtering, advanced filtering is well named. Advanced filtering can be viewed as a catch-all filtering option — if ADN or IMSI filtering doesn’t do what you want, then advanced filtering will. The advanced filtering can use more information elements to provide considerably more granularity for your filtering.
 
Enable
Select to turn on advanced filtering.
Default Action
Select Allow or Deny as the default action to take when traffic does not match an entry in the advanced filter list .
Messages
Optionally select one or more types of messages this filter applies to:
Create PDP Context Request, Create PDP Context Response, Update PDP Context Request, or Update PDP Context Response.
Selecting Create PDP Context Response or Update PDP Context Response limits RAT type to only GAN and HSPA, and disables the APN, APN Mode, IMSI, MSISDN, ULI, RAI, and IMEI fields.
To select Update PDP Context Request, APN Restriction must be set to all. Selecting Update PDP Context Request disables the APN, MSISDN, and IMEI fields.
if all message types are selected, only the RAT Types of GAN and HSPA are available to select.
APN Restriction
APN Restriction either allows all APNs or restricts the APNs to one of four categories — Public-1, Public-2, Private-1, or Private-2. This can also be combined with a specific APN or partial APN as well as specifying the APN mode. See “Access Point Number (APN)”.
RAT Type
Select one or more of the Radio Access Technology Types listed. These fields control how a user accesses the carrier’s network. You can select one or more of UTRAN, GERAN, WLAN, GAN, HSPA, or any. See “Radio Access Technology (RAT) type”.
ULI
The user location identifier. Often the ULI is used with the RAI to locate a user geographically on the carrier’s network.
The ULI is disabled when Create PDP Context Response or Update PDP Context Response messages are selected.
RAI
The router area identifier. There is only one SGSN per routing area on a carrier network. This is often used with ULI to locate a user geographically on a carrier network.
The RAI is disabled when Create PDP Context Response or Update PDP Context Response messages are selected.
IMEI
The International Mobile Equipment Identity. The IMEI uniquely identifies mobile hardware, and can be used to block stolen equipment.
The IMEI is only available when Create PDP Context Request or no messages are selected.
Action
Select Allow or Deny as the action when this filter matches traffic.
The default is Allow.
Delete Icon
Select to delete this entry from the list.
Edit Icon
Select to edit this entry.
Add
Select to add an advanced filter to the list. Not active while creating GTP profile, only when editing an existing GTP profile.
Save all changes before adding advanced filters. A warning to this effect will be displayed when you select the Add button.
Also see “Advanced filtering options”.