Identity filtering comparison
Filtering type | Filter on the following data: | When to use this type of filtering |
APN | APN | Filter based on GTP tunnel start or destination |
IMSI | IMSI, MCC-MNC | Filter based on subscriber information |
Advanced | PDP context, APN, IMSI,
MSISDN, RAT type, ULI, RAI, IMEI |
When you want to filter based on:
• user phone number (MSISDN) • what wireless technology the user employed • to get on the network (RAT type) • user location (ULI and RAI) • handset ID, such as for stolen phones (IMEI) |
APN filtering in FortiOS Carrier
APN filtering is very specific — the only identifying information that is used to filter is the APN itself. This will always be present in GTP tunnel traffic, so all GTP traffic can be filtered using this value.
IMSI filtering can use a combination of the APN and MCC-MNC numbers. The MCC and MNC are part of the APN, however filtering on MCC-MNC separately allows you to filter based on country and carrier instead of just the destination of the GTP Tunnel.
Advanced filtering can go into much deeper detail covering PDP contexts, MSISDN, IMEI, and more not to mention APN, and IMSI as well. If you can’t find the information in APN or IMSI that you need to filter on, then use Advanced filtering.
Configuring APN filtering in FortiOS Carrier
To configure APN filtering go to Security Profiles > GTP Profile. Select a profile or create a new one, and expand APN filtering.
When you are configuring your Carrier-enabled FortiGate unit’s GTP profiles, you must first configure the APN. It is critical to GTP communications and without it no traffic will flow.
Enable APN Filter | Select to enable filtering based on APN value. |
Default APN Action | Select either Allow or Deny for all APNs that are not found in the list. The default is Allow. |
Value | Displays the APN value for this entry. Partial matches are allowed using wildcard. For example *.mcc333.mcn111.gprs would match all APNs from country 333 and carrier 111 on the gprs network. |
Mode | Select one or more of the methods used to obtain APN values.
Mobile Station provided – The APN comes from the mobile station where the mobile device connected. This is the point of entry into the carrier network for the user’s connection. Network provided – The APN comes from the carrier network. Subscription Verified – The user’s subscription has been verified for this APN. This is the most secure option. |
Action | One of allow or deny to allow or block traffic associated with this APN. |
Delete icon | Select to remove this APN entry from the list. |
Edit icon | Select to change the information for this APN entry. |
Configuring IMSI filtering in FortiOS Carrier
Select to add an APN to the list. Not active while creating GTP profile, only when editing an existing GTP profile.
Add APN Save all changes before adding APNs. A warning to this effect will be displayed when you select the Add APN button. |
The Add APN button is not activated until you save the new GTP profile. When you edit that GTP profile, you will be able to add new APNs.
Configuring IMSI filtering in FortiOS Carrier
In many ways the IMSI on a GPRS network is similar to an IP address on a TCP/IP network. Different parts of the number provide different pieces of information. This concept is used in IMSI filtering on FortiOS Carrier.
To configure IMSI filtering go to Security Profiles > GTP Profile and expand IMSI filtering.
While both the APN and MCC-MCN fields are optional, without using one of these fields the IMSI entry will not be useful as there is no information for the filter to match.
Enable IMSI Filter | Select to turn on IMSI filtering. |
Default IMSI Action | Select Allow or Deny. This action will be applied to all IMSI numbers except as indicated in the IMSI list that is displayed.
The default value is Allow. |
APN | The Access Point Number (APN) to filter on.
This field is optional. |
MCC-MNC | The Mobile Country Code (MCC) and Mobile Network Code (MNC) to filter on. Together these numbers uniquely identify the carrier and network of the GGSN being used.
This field is optional. |
Enable | Select to turn on advanced filtering. |
Default Action | Select Allow or Deny as the default action to take when traffic does not match an entry in the advanced filter list . |
advanced filtering in FortiOS Carrier
Mode | Select the source of the IMSI information as one or more of the following:
Mobile Station provided – the IMSI number comes from the mobile station the mobile device is connecting to. Network provided – the IMSI number comes from the GPRS network which could be a number of sources such as the SGSN, or HLR. Subscription Verified – the IMSI number comes from the user’s home network which has verified the information. While Subscription Verified is the most secure option, it may not always be available. Selecting all three options will ensure the most complete coverage. |
Action | Select the action to take when this IMSI information is encountered. Select one of Allow or Deny. |
Delete Icon | Select the delete icon to remove this IMSI entry. |
Edit Icon | Select the edit icon to change information for this IMSI entry. |
Add IMSI | Select to add an IMSI to the list. Not active while creating GTP profile, only when editing an existing GTP profile.
Save all changes before adding IMSIs. A warning to this effect will be displayed when you select the Add IMSI button. |
Configuring advanced filtering in FortiOS Carrier
Compared to ADN or IMSI filtering, advanced filtering is well named. Advanced filtering can be viewed as a catchall filtering option — if ADN or IMSI filtering doesn’t do what you want, then advanced filtering will. The advanced filtering can use more information elements to provide considerably more granularity for your filtering.
Configuring advanced filtering in FortiOS Carrier
Messages | Optionally select one or more types of messages this filter applies to:
Create PDP Context Request, Create PDP Context Response, Update PDP Context Request, or Update PDP Context Response. Selecting Create PDP Context Response or Update PDP Context Response limits RAT type to only GAN and HSPA, and disables the APN, APN Mode, IMSI, MSISDN, ULI, RAI, and IMEI fields. To select Update PDP Context Request, APN Restriction must be set to all. Selecting Update PDP Context Request disables the APN, MSISDN, and IMEI fields. if all message types are selected, only the RAT Types of GAN and HSPA are available to select. |
APN Restriction | APN Restriction either allows all APNs or restricts the APNs to one of four categories — Public-1, Public-2, Private-1, or Private-2. This can also be combined with a specific APN or partial APN as well as specifying the APN mode. |
RAT Type | Select one or more of the Radio Access Technology Types listed. These fields control how a user accesses the carrier’s network. You can select one or more of UTRAN, GERAN, WLAN, GAN, HSPA, or any. |
ULI | The user location identifier. Often the ULI is used with the RAI to locate a user geographically on the carrier’s network.
The ULI is disabled when Create PDP Context Response or Update PDP Context Response messages are selected. |
RAI | The router area identifier. There is only one SGSN per routing area on a carrier network. This is often used with ULI to locate a user geographically on a carrier network.
The RAI is disabled when Create PDP Context Response or Update PDP Context Response messages are selected. |
IMEI | The International Mobile Equipment Identity. The IMEI uniquely identifies mobile hardware, and can be used to block stolen equipment.
The IMEI is only available when Create PDP Context Request or no messages are selected. |
Action | Select Allow or Deny as the action when this filter matches traffic.
The default is Allow. |
Delete Icon | Select to delete this entry from the list. |
advanced filtering in FortiOS Carrier
Edit Icon | Select to edit this entry. | |
Add | Select to add an advanced filter to the list. Not active while creating GTP profile, only when editing an existing GTP profile.
Save all changes before adding advanced filters. A warning to this effect will be displayed when you select the Add button. |