Carrier web-based manager settings

Leave a reply

Encapsulated IP traffic filtering options

You can use encapsulated IP traffic filtering to filter GTP sessions based on information contained in the data stream. to control data flows within your infrastructure. You can configure IP filtering rules to filter encapsulated IP traffic from mobile stations by identifying the source and destination policies. For more information, see When to use encapsulated IP traffic filtering.

Expand Encapsulated IP Traffic Filtering in the GTP profile to reveal the options.

Encapsulated IP Traffic Filtering

Enable IP Filter                         Select to enable encapsulated IP traffic filtering options.

Default IP Action                       Select the default action for encapsulated IP traffic filtering. If you select Allow, all sessions are allowed except those blocked by individual encap- sulated IP traffic filters. If you select Deny, all sessions are blocked except those allowed by individual encapsulated IP traffic filters.

Source

Select a source IP address from the configured firewall IP address or address group lists. Any encapsulated traffic originating from this IP address will be a match if the destination also matches.

 

Destination                                Select a destination IP address from the configured firewall IP address or address group lists. Any encapsulated traffic being sent to this IP address will be a match if the destination also matches.

 

Action

The type of action that will be taken.

Select to Allow or Deny encapsulated traffic between this source and Destination.

Edit                                             Modifies the source, destination or action settings.

Add IP Policy                             Adds a new encapsulated IP traffic filter. When you select Add IP Policy, the New window appears which allows you to configure IP policy settings.

New (window)

Source                                        Select the source firewall address or address group.

Destination                                Select the destination firewall address or address group.

Action                                         Select Allow or Deny.

Encapsulated non-IP end user traffic filtering options

Depending on the installed environment, it may be beneficial to detect GTP packets that encapsulate non-IP based protocols. You can configure the FortiOS Carrier firewall to permit a list of acceptable protocols, with all other protocols denied.

The encoded protocol is determined in the PDP Type Organization and PDP Type Number fields within the End User Address Information Element. The PDP Type Organization is a 4-bit field that determines if the protocol is part of the ETSI or IETF organizations. Values are zero and one, respectively. The PDP Type field is one byte long. Both GTP specifications list only PPP, with a PDP Type value of one, as a valid ETSI protocol. PDP Types for the IETF values are determined in the “Assigned PPP DLL Protocol Numbers” sections of RFC1700. The PDP types are compressed, meaning that the most significant byte is skipped, limiting the protocols listed from 0x00 to 0xFF.

 

Encapsulated Non-IP End User Address Filtering

Enable Non-IP Filter                 Select to enable encapsulated non-IP traffic filtering.

Default Non-IP Action               Select the default action for encapsulated non-IP traffic filtering. If you select Allow, all sessions are allowed except those blocked by individual encapsulated non-IP traffic filters. If you select Deny, all sessions are blocked except those allowed by individual encapsulated non-IP traffic fil- ters.

Type                                            The type chosen, AESTI or IETF.

Start Protocol                            The beginning protocol port number range.

End Protocol                              The end of the protocol port number range.

Action                                         The type of action that will be taken.

Edit                                             Modify a non-IP filter’s settings in the list. When you select Edit, the Edit window appears, which allows you to modify the Non-IP policy settings.

Delete                                         Remove a non-IP policy from the list.

Add Non-IP Policy                    Add a new encapsulated non-IP traffic filter. When you select Add Non-IP Policy, you are automatically redirected to the New page.

New (window)

Type                                            Select AESTI or IETF.

Start Protocol

End Protocol

Select a start and end protocol from the list of protocols in RFC 1700. Allowed range includes 0 to 255 (0x00 to 0xff). Some common protocols include:

  • 33 (0x0021) Internet Protocol
  • 35 (0x0023) OSI Network Layer
  • 63 (0x003f) NETBIOS Framing
  • 65 (0x0041) Cisco Systems
  • 79 (0x004f) IP6 Header Compression
  • 83 (0x0053) Encryption

Action                                         Select Allow or Deny.

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
This entry was posted in FortiOS 5.4 Handbook on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.