Chapter 4 FortiOS Carrier : Carrier web-based manager settings : GTP Profile : Advanced filtering options
  
Advanced filtering options
The FortiOS Carrier firewall supports advanced filtering against the attributes RAT, RAI, ULI, APN restriction, and IMEI-SV in GTP to block specific harmful GPRS traffic and GPRS roaming traffic. The following table shows some of the GTP context requests and responses that the firewall supports.
 
Table 37: Attributes supported by FortiCarrier firewalls
 
GTP Create PDP Context Request
GTP Create PDP Context Response
GTP Update PDP Context Request
GTP Update PDP Context Response
APN
yes
yes
-
 
APN Restriction
yes
-
-
yes
IMEI-SV
yes
-
-
-
IMSI
yes
-
yes
-
RAI
yes
-
yes
-
RAT
yes
-
yes
-
ULI
yes
-
yes
-
When editing a GTP profile, select Advanced Filtering > Add to create and add a rule. When the rule matches traffic it will either allow or deny that traffic as selected in the rule.
 
Advanced Filtering section on New GTP Profile page
Enable
Select to enable advanced filtering.
Default Action
Select the default action for advanced filtering. If you select Allow, all sessions are allowed except those blocked by individual advanced filters. If you select Deny, all sessions are blocked except those allowed by individual advanced filters.
Messages
The messages, for example, Create PDP Context Request.
APN Restriction
The APN restriction.
RAT Type
The RAT types associated with that filter.
ULI
The ULI pattern.
RAI
The RAI pattern.
IMEI
The IMEI pattern.
Action
The action that will be taken.
Edit
Modifies the filter’s settings. When you select Edit, the Edit window appears, which allows you to modify the filter’s settings.
Delete
Removes a filter from the list.
Add
Adds a filter to the list. When you select Add, the New window appears, which allows you to configure settings for messages, APN, IMSI, MSISDN, RAT type, ULI, RAI, IMEI patterns as well as the type of action.
New Filtering page
Messages
The PDP content messages this profile will match.
 
Create PDP Context Request
Select to allow create PDP context requests.
 
Create PDP Context Response
Select to allow create PDP context responses.
 
Update PDP Context Request
Select to allow update PDP context requests.
 
Update PDP Context Response
Select to allow update PDP context responses.
APN
Enter the APN.
APN Mode
Select an APN mode as one or more of
Mobile Station provied
Network provided
Subscription provied
This field is only available when an APN has been entered.
 
Mobile Station provided
MS-provided PAN, subscription not verified, indicates that the mobile station (MS) provided the APN and that the HLR did not verify the user’s subscription to the network.
 
Network provided
Network-provided APN, subscription not verified, indicates that the network provided a default APN because the MS did not specify one, and that the HLR did no verify the user’s subscription to the network.
 
Subscription verified
MS or Network-provided APN, subscription verified, indicates that the MS or the network provided the APN and that the HLR verified the user’s subscription to the network.
APN Restriction
Select the type of restriction that you want. You can choose all of the types, or one of the types. You cannot choose multiple types. Types include:
all
Public-1
Public-2
Private-1
Private-2
IMSI
Enter the IMSI.
MSISDN
Enter the MSISDN.
RAT Type
Optionally select the RAT type as any combination of the following:
Any
UTRAN
GERAN
Wifi
GAN
HSPA
Some RAT types are GTPv1 specific.
ULI pattern
Enter the ULI pattern.
RAI pattern
Enter the RAI pattern.
IMEI pattern
Enter the IMEI pattern.
Action
Select either Allow or Deny.