Category Archives: FortiCarrier

FortiCarrier MMS profiles

MMS profiles

Since MMS profiles can be used by more than one security policy, you can configure one profile for the traffic types handled by a set of security policies requiring identical protection levels and types, rather than repeatedly configuring those same profile settings for each individual security policy.

If the security policy requires authentication, do not select the MMS profile in the security policy. This type of profile is specific to the authenticating user group. For details on configuring the profile associated with the user group, see User Groups in the Authentication guide.

For example, while traffic between trusted and untrusted networks might need strict protection, traffic between trusted internal addresses might need moderate protection. To provide the different levels of protection, you might configure two separate protection profiles: one for traffic between trusted networks, and one for traffic between trusted and untrusted networks.

Once you have configured the MMS profile, you can then apply the profile to MMS traffic by applying it to a security policy.

MMS profiles can contain settings relevant to many different services. Each security policy uses the subset of the MMS profile settings that apply to the sessions accepted by the security policy. In this way, you might define just one MMS profile that can be used by many security policies, each policy using a different or overlapping subset of the MMS profile.

The MMS Profile page contains options for each of the following:

l MMS scanning l MMS Bulk Email Filtering Detection l MMS Address Translation l MMS Notifications l DLP Archive l Logging

MMS profile configuration settings

The following are MMS profile configuration settings in Security Profiles > MMS Profile.

MMS Profile page

Lists each individual MMS profile that you created. On this page, you can edit, delete or create an MMS profile.

Creates a new MMS profile. When you select Create New, you are

Create New automatically redirected to the New MMS Profile page.

Edit                                        Modifies settings within an MMS profile. When you select Edit, you are automatically redirected to the Edit MMS Profile.
Removes an MMS profile from the list on the MMS Profile page.

To remove multiple MMS profiles from within the list, on the MMS Profile page, in each of the rows of the profiles you want removed, select the

Delete check box and then select Delete.

To remove all MMS profiles from the list, on the MMS Profile page, select the check box in the check box column, and then select Delete.

Name                                     The name of the MMS profile.
Displays the number of times the object is referenced to other objects. For example, av_1 profile is applied to a security policy; on the Profile page (Security Profiles > Antivirus), 1 appears in Ref. .

To view the location of the referenced object, select the number in Ref., and the Object Usage window appears displaying the various locations of the referenced object.

To view more information about how the object is being used, use one of the following icons that is avialable within the Object Usage window:

View the list page for these objects – automatically redirects you to the Ref. list page where the object is referenced at.

Edit this object – modifies settings within that particular setting that the object is referenced with. For example, av_1 profile is referenced with a security policy and so, when this icon is selected, the user is redirected to the Edit Policy page.

View the details for this object – table, similar to the log viewer table, contains information about what settings are configured within that particular setting that the object is referenced with. For example, av_1 profile is referenced with a security policy, and that security policy’s settings appear within the table.

New MMS Profile page

Provides settings for configuring an MMS profile. This page also provides settings for configuring DLP archives and logging.

Profile Name                          Enter a name for the profile.
Comments                             Enter a description about the profile. This is optional.
MMS Scanning                       Configure MMS Scanning options.
MMS Bulk Email Filtering          Configure MMS Bulk Email options. Detection
MMS Address Translation       Configure MMS Address Translation options.
MMS Notifications                   Configure MMS Notification options.
DLP Archive                           Configure DLP archive option.
Logging                                 Configure logging options.

MMS scanning options

You can configure MMS scanning protection profile options to apply virus scanning, file filtering, content filtering, carrier endpoint blocking, and other scanning to MMS messages transmitted using the MM1, MM3, MM4 and MM7 protocols.

The following are the MMS Scanning options that are available within an MMS profile. You can create an MMS profile in Security Profiles > MMS Profile or edit an existing one. You must expand MMS Scanning to access the following options.

MMS Scanning section of the New MMS Profile page
Monitor Only                              Select to cause the unit to record log messages when MMS scanning

options find a virus, match a file name, or match content using any of the other MMS scanning options. Select this option to be able to report on viruses and other problems in MMS traffic without affecting users.

Tip: Select Remove Blocked if you want the unit to actually remove content intercepted by MMS scanning options.

Select to scan attachments in MMS traffic for viruses.

Since MM1 and MM7 use HTTP, the oversize limits for HTTP and the

HTTP antivirus port configuration also applies to MM1 and MM7

Virus Scan                                  scanning.

MM3 and MM4 use SMTP and the oversize limits for SMTP and the SMTP antivirus port configuration also applies to MM3 and MM4 scanning.

Scan MM1 message retrieval Select to scan message retrievals that use MM1. If you enable Virus Scan for all MMS interfaces, messages are also scanned while being sent. In this case, you can disable MM1 message retrieval scanning to improve performance.
Select to remove blocked content from each protocol and replace it with the replacement message.

Select Constant if the unit is to preserve the length of the message

Remove Blocked when removing blocked content, as may occur when billing is affected by the length of the message.

Tip: If you only want to monitor blocked content, select Monitor Only.

Content Filter                              Select to filter messages based on matching the content of the message with the words or patterns in the selected web content filter list.

For information about adding a web content filter list, see the FortiGate CLI Reference.

Select to add Carrier Endpoint Filtering in this MMS profile. Select

Carrier Endpoint Block the carrier endpoint filter list to apply it to the profile.

MMS Scanning section of the New MMS Profile page
MMS Content Checksum Select to add MMS Content Checksum in this MMS profile. Select the MMS content checksum list to apply it to the profile.
Select to pass fragmented MM3 and MM4 messages. Fragmented

Pass Fragmented Messages MMS messages cannot be scanned for viruses. If you do not select these options, fragmented MM3 and MM4 message are blocked.

Comfort Clients                           Select client comforting for MM1 and MM7 sessions.

Since MM1 and MM7 messages use HTTP, MM1 and MM7 client comforting operates like HTTP client comforting.

Select server comforting for each protocol.

Comfort Servers                          Similar to client comforting, you can use server comforting to prevent server connection timeouts that can occur while waiting for the unit to buffer and scan large POST requests from slow clients.

Interval (1-900  Enter the time in seconds before client and server comforting starts seconds)           after the download has begun, and the time between sending

subsequent data.

Amount (1-10240

The number of bytes sent by client or server comforting at each interval. bytes)

Oversized MMS Message             Select Block or Pass for files and email messages exceeding configured thresholds for each protocol.

The oversize threshold refers to the final size of the message, including attachments, after encoding by the client. Clients can use a variety of encoding types; some result in larger file sizes than the original attachment. As a result, a file may be blocked or logged as oversized even if the attachment is several megabytes smaller than the oversize threshold.

Enter the oversized file threshold and select KB or MB. If a file is larger than the threshold the file is passed or blocked depending on the

Threshold (1KB – 800

Oversized MMS Message setting. The web-based manager displays

MB) the allowed threshold range. The threshold maximum is 10% of the unit’s RAM.

FortiCarrier MMS Concepts

MMS Concepts

MMS background

MMS is a common method for mobile users to send and receive multimedia content. A Carrier network supports MMS across its network. This makes up the MMS Service Provider Network (MSPN).

Messages can be sent or received between the MMSC and a number of other services including the Internet, content providers, or other carriers. Each of these different service connections uses different MMS formats including MM1 and MM7 messages (essentially HTTP format), and MM3 and MM4 messages (SMTP formatted). These different formats reflect the different purposes and content for each type of MMS message.

MMS content interfaces

MMS content interfaces

MMS messages are sent from devices and servers to other devices and servers using MMS content interfaces

There are eight interfaces defined for the MMS standard, referred to as MM1 through MM8. The most important of these interfaces for the transfer of data is the MM1 interface, as this defines how mobile users communicate from the mobile network to the Multimedia Message Service Center (MMSC). MMS content to be monitored and controlled comes from these mobile users and is going to the provider network.

Other MMS content interfaces that connect a service provider network to other external sources can pose threats as well. MM3 handles communication between the Internet and the MMSC and is a possible source of viruses and other content problems from the Internet. MM4 handles communication between different content provider MMSCs. Filtering MM4 content protects the service provider network from content sent from foreign service providers and their subscribers. Finally MM7 is used for communication between content providers and the MMSC. Filtering MM3 content can also keep harmful content off of the service provider network.

MMS content interfaces

Type Transaction Similar to
MM 1 Handset to MMSC HTTP
MM 3 Between MMSC and Internet SMTP
MM 4 Between Operator MMSCs SMTP
MM 7 Content Providers to MMSC HTTP and SOAP

How MMS content interfaces are applied

As shown below, the sender’s mobile device encodes the MMS content in a form similar to MIME email message (MMS MIME content formats are defined by the MMS Message Encapsulation specification). The encoded message is then forwarded to the service provider’s MMSC. Communication between the sending device and the MMSC uses the MM1 content interface. The MM1 content interface establishes a connection and sends an MM1 send request (m-send.req) message that contains the MMS message. The MMSC processes this request and sends back an MM1 send confirmation (m-send.conf) HTTP response indicating the status of the message — accepted or an error occurred, for example.

MM1 transactions between senders and receivers and the MMSC

If the recipient is on another carrier, the MMSC forwards the message to the recipient’s carrier. This forwarding uses the MM4 content interface for forwarding content between operator MMSCs (see the figure below).

Before the MMSC can forward the message to the final recipient, it must first determine if the receiver’s handset can receive MMS messages using the MM1 content interface. If the recipient can use the MM1 content interface, the content is extracted and sent to a temporary storage server with an HTTP front-end.

To retrieve the message, the receiver’s handset establishes a connection with the MMSC. An HTTP get request is then sent from the recipient to the MMSC. This message contains the URL where the content of the message is stored. The MMSC responds with a retrieve confirmation (m-retrieve.conf) HTTP response that contains the message.

MM4 messages sent between operator MMSCs

                                                                               Receiving Operator

MMSC                                                                                                        MMSC

This causes the receiver’s handset to retrieve the content from the embedded URL. Several messages are exchanged to indicate status of the delivery attempt. Before delivering content, some MMSCs also include a content adaptation service that attempts to modify the multimedia content into a format suitable for the recipient’s handset.

If the receiver’s handset is not MM1 capable, the message can be delivered to a web based service and the receiver can view the content from a normal Internet browser. The URL for the content can be sent to the receiver in an SMS text message. Using this method, non-MM1 capable recipients can still receive MMS content.

The method for determining whether a handset is MMS capable is not specified by the standards. A database is usually maintained by the operator, and in it each mobile phone number is marked as being associated with a legacy handset or not. It can be a bit hit and miss since customers can change their handset at will and this database is not usually updated dynamically.

Email and web-based gateways from MMSC to the Internet use the MM3 content interface. On the receiving side, the content servers can typically receive service requests both from WAP and normal HTTP browsers, so delivery via the web is simple. For sending from external sources to handsets, most carriers allow MIME encoded message to be sent to the receiver’s phone number with a special domain.

How FortiOS Carrier processes MMS messages

MMS messages can be vectors for propagating undesirable content such as spam and viruses. FortiOS Carrier can scan MMS messages sent using the MM1, MM3, MM4, and MM7 content interfaces. You can configure FortiOS Carrier to scan MMS messages for spam and viruses by configuring and adding MMS protection profiles and adding the MMS protection profiles to security policies. You can also use MMS protection profiles to apply content blocking, carrier endpoint filtering, MMS address translation, sending MMS notifications, DLP archiving of MMS messages, and logging of MMS message activity.

FortiOS Carrier MMS processing

FortiOS Carrier can send MMS messages to senders informing those senders that their devices are infected. FortiOS Carrier can also send MMS notifications to administrators to inform them of suspicious activity on their networks.

For message floods and duplicate messages, FortiOS Carrier does not send notifications to message senders but does send notifications to administrators and sends messages to sender handsets to complete MM1 and MM4 sessions.

Where MMS messaging uses the TCP/IP set of protocols, SMS text messaging uses the Signaling System Number 7 (SS7) set of protocols, which is not supported by FortiOS.

FortiOS Carrier and MMS content scanning

The following section applies to MMS content scanning, including virus scanning, file filtering, content spam filtering, carrier endpoint filtering, and MMS content checksum filtering.

MM1 Content Scanning

During MM1 content scanning a message is first transmitted from the sender, establishing a connection with the MMSC. FortiOS Carrier intercepts this connection and acts as the endpoint. FortiOS Carrier then establishes its own connection to the MMSC. Once connected, the client transmits its m-send.req HTTP post request to FortiOS Carrier which scans it according to the MMS protection profile settings. If the content is clean, the message is forwarded to the MMSC. The MMSC returns m-send.conf HTTP response through FortiOS Carrier to the sender.

If FortiOS Carrier blocks the message (for example because a virus was found, see the figure below), FortiOS Carrier resets the connection to the MMSC and sends m-send.conf HTTP response back to the sender. The response message can be customized using replacement messages. FortiOS Carrier then terminates the connection. Sending back an m-send.conf message prevents the sender from trying to send the message again.

 

MM1                            message sent by sender (blocking m.send.req messages)

FortiOS Carrier also sends m-send.rec notifications messages to the MMSC that are then forwarded to the sender to notify them of blocked messages.

Filtering message retrieval

FortiOS Carrier intercepts the connection to the MMSC, and the m-retrieve.conf HTTP response from the MMSC is scanned according to the MMS content scanning settings. If the content is clean, the response is forwarded back to the client. If the content is blocked, FortiOS Carrier drops the connection to the MMSC. It then builds an m-retrieve.conf message from the associated replacement message and transmits this back to the client.

FortiOS Carrier also sends m-send.rec notifications messages to the MMSC that are then forwarded to the receiver to notify them of blocked messages.

MM1                                             received by receiver (blocking m.retrieve.conf messages)

Filtering MM3 and MM4 messages works in an similar way to MM1 (see the figures below). FortiOS Carrier intercepts connections to the MMSC, and scans messages as configured. When messages are blocked, FortiOS Carrier closes sessions as required, sends confirmation messages to the sender, notifies administrators, and notifies senders and receivers of messages.

MM3                                                    from a sender on the Internet to an MMSC

  1. Open TCP session
  2. Send full email message
  3. Content blocked
  4. Send 550 Error and replacement message
  5. MM3 notification message

Sent once per notification period, regardless of how many messages are blocked

 

         MM4                                                     between operator MMSCs

  1. Open TCP session
  2. Send full MM4-forward.req message
  3. m-retrieve.conf mesage
  4. Content blocked
  5. Send 250 response

         MM7                                                     between a VASP and an MMSC

Sending VASP FortiOS Carrier Receiving

MMSC

FortiOS Carrier and MMS duplicate messages and message floods

FortiOS Carrier detects duplicate messages and message floods for the MM1 and MM4 interfaces. How FortiOS Carrier detects and responds to duplicate messages and message floods is different from how FortiOS Carrier detects and responds to viruses and other MMS scanning protection measures.

For message floods and duplicate messages, the sender does not receive notifications about floods or duplicate messages, as if the sender is an attacker they can gain useful information about flood and duplicate thresholds. Plus, duplicate messages and message floods are usually a result of a large amount of messaging activity and filtering of these messages is designed to reduce the amount of unwanted messaging traffic. Adding to the traffic by sending notifications to senders and receivers could result in an increase in message traffic.

You can create up to three thresholds for detecting duplicate messages and message floods. For each threshold you can configure the FortiOS Carrier unit to respond by logging the activity, archiving or quarantining the messages, notifying administrators of the activity, and by blocking the messages. In many cases you may only want to configure blocking for higher activity thresholds, and to just monitor and send administrator notifications at lower activity thresholds.

When a block threshold is reached for MM1 messages, FortiOS Carrier sends m-send.conf or m-retrieve.conf messages to the originator of the activity. These messages are sent to end the MM1 sessions, otherwise the originator would continue to re-send the blocked message. When a block threshold is reached for MM4, FortiOS Carrier sends a MM4-forward.res message to close the MM4 session. An MM4 message is sent only if initiated by the originating MM4-forward.req message.

MM1 message flood and duplicate message blocking of sent messages

MM1 message flood and duplicate message blocking of received messages

MMS protection

MM4 message flood and duplicate message blocking

  1. Open TCP session
  2. Send full MM4-forward.req message Without ‘.’ on single line
  1. Reset TCP session

MMS protection profiles

An MMS protection profile is a group of settings that you can apply to an MMS session matched by a security policy.

MMS protection profiles are easy to configure and can be used by more than one security policy. You can configure a single MMS protection profile for the different traffic types handled by a set of security policies that require identical protection levels and types. This eliminates the need to repeatedly configure those same MMS protection profile settings for each individual security policy.

Bypassing MMS protection profile filtering based on carrier endpoints

For example, while traffic between trusted and untrusted networks might need strict protection, traffic between trusted internal addresses might need only moderate protection. You would configure two separate MMS protection profiles to provide the different levels of protection: one for traffic between trusted networks, and one for traffic between trusted and untrusted networks.

Once you have configured the MMS Protection Profile, you need to add it to a security policy to apply the profile to MMS traffic.

Bypassing MMS protection profile filtering based on carrier endpoints

You can use carrier endpoint filtering to exempt MMS sessions from MMS protection profile filtering. Carrier endpoint filtering matches carrier endpoints in MMS sessions with carrier endpoint patterns. If you add a carrier endpoint pattern to a filter list and set the action to exempt from all scanning, all messages from matching carrier endpoints bypass MMS protection profile filtering. See Bypassing message flood protection based on user’s carrier endpoints.

Applying MMS protection profiles to MMS traffic

To apply an MMS protection profile you must first create the MMS protection profile and then add the MMS protection profile to a security policy by enabling the Carrier security profile. The MMS protection profile then applies itself to the traffic accepted by that security policy.

MMS protection profiles can contain settings relevant to many different services. Each security policy uses the subset of the MMS protection profile settings that apply to the sessions accepted by the security policy. In this way, you might define just one MMS protection profile that can be used by many security policies, each policy using a different or overlapping subset of the MMS protection profile.

To add an MMS protection profile to a security policy

  1. Go to Security Profiles > MMS Profile.
  2. Select Create New to add an MMS protection profile.
  3. Configure as needed, and save.
  4. Go to Policy & Objects > IPv4 Policy.
  5. Select Create New to add a security policy, or select an existing policy and Edit to add the MMS profile.
  6. Configure the security policy as required.
  7. Enable MMS Profile, and select the MMS profile to add to the security policy.
  8. Select OK.

 

Overview of FortiOS Carrier features

Overview of FortiOS Carrier features

FortiOS Carrier specific features include Multimedia messaging service (MMS) protection, and GPRS Tunneling Protocol (GTP) protection.

All FortiGate units, carrier-enabled or not, are capable of handling Stream Control Transmission Protocol (SCTP) traffic, which is a protocol designed for and primarily used in Carrier networks.

This section includes:

Overview

FortiOS Carrier provides all the features found on FortiGate units plus added features specific to carrier networks:

MMS and GTP.

MMS

MMS is a standard for sending messages that include multimedia content between mobile phones. MMS is also popular as a method of delivering news and entertainment content including videos, pictures, and text. Carrier networks include four different MMS types of messages — MM1, MM3, MM4, and MM7.

GTP

The GPRS Tunneling Protocol (GTP) runs on GPRS carrier networks. GPRS is a GSM packet radio standard. It provides more efficient usage of the radio interface so that mobile devices can share the same radio channel. FortiOS supports GTPv1 and GTPv2.

GPRS provides direct connections to the Internet (TCP/IP) and X.25 networks for point-to-point services (connection-less/connection oriented) and point-to-multipoint services (broadcast).

GPRS currently supports data rates from 9.6 kbps to more than 100 kbps, and it is best suited for burst forms of traffic. GPRS involves both radio and wired components. The mobile phone sends the message to a base station unit (radio based) that converts the message from radio to wired, and sends the message to the carrier network and eventually the Internet (wired carrier network). See GTP.

What’s New in FortiOS 5.6 for FortiCarrier

What’s New in FortiOS 5.6

New features added in 5.6.1

GTP enhancement and GTP Performance Improvement. (423332)

The GTP changes in 5.6.1 take place in the following categories:

New GTP features and functionality enhancements.

  • GTP message filter enhancements, including: l Unknown message white list l GTPv1 and GTPv2 profile separation l Message adoption.
  • GTP IE white list.
  • Global APN rate limit, including: l sending back REJECT message with back-off timer l “APN congestion” cause value
  • GTP half-open, half-close configurable timer.

GTP performance improvements.

  • Implemented RCU on GTP-U running path. i.e, no locking needed to look up tunnel state when processing GTP-U.

Note the RCU is only applied on GTPv1 and GTPv2 tunnels. It is not used for GTPv0 tunnels, due to the fact that (1) GTPv0 traffic is relatively minor compared with GTPv1 and GTPv2, and (2) GTPv0 tunnel indexing is totally different from GTPv1 and GTPv2. GTPv0 tunnel is indexed by [IMSI, NSAPI]. GTPv1 and GTPv2 tunnel is indexed by [IP, TEID]

  • Localized CPU memory usage on GTP-U running path.
  • GTP-C: changed some GTP tables from RB tree to hash table, including l GTP request tables, and GTPv0 tunnel tables. l Testing showed, when handling millions of entries adding/deleting, hash table performance was much better.
  • 3.2 Hash table is compatible with RCU API, so we can apply RCU on these GTP-C tables later for further performance improvements.
  • GTP-C, improved GTP path management logic, so that GTP path will time out sooner when there are no tunnels linked to it

CLI Changes:

New Diagnose commands: diagnose firewall gtp

New features added in 5.6.1                                                                                            What’s New in FortiOS 5.6

Option Description
hash-stat-tunnel GTP tunnel hash statistics.
hash-stat-v0tunnel GTPv0 tunnel hash statistics.
hash-stat-path GTP path hash statistics.
hash-stat-req GTP request hash statistics.
vd-apn-shaper APN shaper on VDOM level.
ie-white-list-v0v1 IE white list for GTPv0 or v1.
ie-white-list-v2 IE white list for GTPv2.

diagnose firewall gtp vd-apn-shaper

Option Description
list List

diagnose firewall gtp ie-white-list-v0v1

Option Description
list List

diagnose firewall gtp ie-white-list-v2

Option Description
list List

config gtp apn-shaperapn-shaper

Option Description
apn APN to match. Leave empty to match ANY.

“apn” field can be empty, it matches ANY apn. when configured, it is used to set a limit for any apn which is not explicitly listed; Also, if configured, such an entry should be the last entry, as it is first-match rule.

rate-limit Rate limit in packets/s (0 – 1000000, 0 means unlimited).

What’s New in FortiOS 5.6                                                                                            New features added in 5.6.1

Option Description
action Action. [drop | reject]

There is no back-off timer in GTPv0, therefor the reject action is not available for V0

back-off-time Back off time in seconds (10 – 360).

back-off-time visible when action is

“reject”

Changed commands:

Under command firewall gtp, config message-filter is replaced by set message-filterv0v1

Example:

config firewall gtp edit <name> set message-filter-v0v1

New fields have been added to the config firewall gtp command context

Option Description
half-open-timeout Half-open tunnel timeout (in seconds).
half-close-timeout Half-close tunnel timeout (in seconds).

Example:

config firewall gtp edit <name> set half-open-timeout 10 set half-close-timeout 10 Models affected by change

l FortiGate 3700D l FortiGate 3700DX l FortiGate 3800D Overview   Overview of FortiOS Carrier features

FortiCarrier Troubleshooting

Troubleshooting

This section offers troubleshooting options for Carrier-related issues.

This section includes:

FortiOS Carrier diagnose commands

Applying IPS signatures to IP packets within GTP-U tunnels

GTP packets are not moving along your network

FortiOS Carrier diagnose commands

This section includes diagnose commands specific to FortiOS Carrier features such as GTP.

GTP related diagnose commands

This CLI command allows you to gain information on GTP packets, logs, statistics, and other information.

diag firewall gtp <command>

apn list <gtp_profile> The APN list entries in the specified GTP profile
auth-ggsns show <gtp_profile> The authorized GGSNs entries for the specified GTP profile. Any GGSNs not on this list will not be recognized.
auth-sgsns show <gtp_profile> The authorized SGSNs list entries for the specified GTP profile. Any SGSNs not on this list will not be recognized.
handover-grp show <gtp_

profile>

The handover group showing the range of allowed handover group IP addresses. The handover group acts like a whitelist of allowed GTP addresses with a default deny at the end — if the GTP address is not on the list, it is denied.
ie-remove-policy list <gtp_ profile> List of IE policies in the IE removal policy for this GTP profile. The information displayed includes the message count for this policy, the length of the SGSN, the list of IEs, and list of SGSN IP addresses.
imsi list <gtp_profile> IMSI filter entries for this GTP profile. The information displayed includes the message count for this filter, length of the IMSI, the length of the APN and IMSI, and of course the IMSI and APN values.
invalid-sgsns-to-long list <gtp_ profile> List of SGSNs that do not match the filter criteria. These SGSNs will be logged.
ip-policy list <gtp_profile> List the IP policies including message count for each policy, the action to take, the source and destination IP addresses or ranges, and masks.

Applying IPS signatures to IP packets within GTP-U tunnels

noip-policy <gtp_profile> List the non-IP policies including the message count, which mode, the action to take, and the start and end protocols to be used by decimal number.
path {list | flush} Select list or flush.

List the GTP related paths in FortiOS Carrier memory.

Flush the GTP related paths from memory.

policy list <gtp_policy> The GTP advanced filter policy information for this GTP profile. The information displayed for each entry includes a count for messages matching this filter, a hexidecimal mask of which message types to match, the associated flags, action to take on a match, APN selection mode, MSISDN, RAT types, RAI, ULI, and IMEI.
profile list Displays information about the configured GTP profiles.

You will not be able to see the bulk of the information if you do not log the output to a file.

runtime-stat flush Select to flush the GTP runtime statistics from memory.
stat Display the GTP runtime statistics — details on current GTP activity. This information includes how many tunnels are active, how many GTP profiles exist, how many IMSI filter entries, how many APN filter entries, advanced policy filter entries, IE remove policy filter entries, IP policy filter entries, clashes, and dropped packets.
tunnel {list | flush} Select one of list or flush.

List lists all the GTP tunnels currently active.

Flush clears the list of active GTP tunnels. This does not clear the clash counter displayed in the stat command.

 

FortiCarrier – Configuring GTP

Configuring GTP on FortiOS Carrier

Configuring GTP support on FortiOS Carrier involves configuring a number of areas of features. Some features require longer explanations, and have their own chapters. The other features are addressed here.

GTP support on the Carrier-enabled FortiGate unit

Configuring General Settings on the Carrier-enabled FortiGate unit

Configuring Encapsulated Filtering in FortiOS Carrier

Configuring the Protocol Anomaly feature in FortiOS Carrier

Configuring Anti-overbilling in FortiOS Carrier

Logging events on the Carrier-enabled FortiGate unit

GTP support on the Carrier-enabled FortiGate unit

The FortiCarrier unit needs to have access to all traffic entering and exiting the carrier network for scanning, filtering, and logging purposes. This promotes one of two configurations — hub and spoke, or bookend.

A hub and spoke configuration with the Carrier-enabled FortiGate unit at the hub and the other GPRS devices on the spokes is possible for smaller networks where a lower bandwidth allows you to divide one unit into multiple virtual domains to fill multiple roles on the carrier network. It can be difficult with a single FortiOS Carrier as the hub to ensure all possible entry points to the carrier network are properly protected from potential attacks such as relayed network attacks.

A bookend configuration uses two Carrier-enabled FortiGate units to protect the carrier network between them with high bandwidth traffic. One unit handles traffic from mobile stations, SGSNs, and foreign carriers. The other handles GGSN and data network traffic. Together they ensure the network is secure.

The Carrier-enabled FortiGate unit can access all traffic on the network. It can also verify traffic between devices, and verify that the proper GPRS interface is being used. For example there is no reason for a Gn interface to be used to communicate with a mobile station — the mobile station will not know what to do with the data — so that traffic is blocked.

When you are configuring your Carrier-enabled FortiGate unit’s GTP profile, you must first configure the APN. It is critical to GTP communications — no traffic will flow without the APN.

GTP support on the Carrier-enabled FortiGate unit

The Carrier-enabled FortiGate unit does more than just forward and route GTP packets over the network. It also performs:

  • Packet sanity checking l GTP stateful inspection l Protocol anomaly detection and prevention
  • HA
  • Virtual domain support

Packet sanity checking

The FortiOS Carrier firewall checks the following items to determine if a packet confirms to the UDP and GTP standards:

  • GTP release version number — must be 0, 1, or 2 l Settings of predefined bits l Protocol type l UDP packet length

If the packet in question does not confirm to the standards, the FortiOS Carrier firewall drops the packet, so that the malformed or forged traffic will not be processed.

GTP stateful inspection

Apart from the static inspection (checking the packet header), the FortiOS Carrier firewall performs stateful inspection.

Stateful inspection provides enhanced security by keeping track of communications sessions and packets over a period of time. Both incoming and outgoing packets are examined. Outgoing packets that request specific types of incoming packets are tracked; only those incoming packets constituting a proper response are allowed through the firewall.

The FortiOS Carrier firewall can also index the GTP tunnels to keep track of them.

Using the enhanced Carrier traffic policy, the FortiOS Carrier firewall can block unwanted encapsulated traffic in GTP tunnels, such as infrastructure attacks. Infrastructure attacks involve attempts by an attacker to connect to restricted machines, such as GSN devices, network management systems, or mobile stations. If these attmpts to connect are detected, they are to be flagged immediately by the firewall .

FortiCarrier Message Flood Protection

Message flood protection

The convenience offered by MM1 and MM4 messaging can be abused by users sending spam or attempting to overload the network with an excess of messages. MMS flood prevention can help prevent this type of abuse.

Overview

Setting message flood thresholds

Notifying administrators of floods

Example — three flood threshold levels with different actions for each threshold

Notifying message flood senders and receivers

Viewing DLP archived messages

Order of operations: flood checking before duplicate checking

Bypassing message flood protection based on user’s carrier endpoints

Configuring message flood detection

Sending administrator alert notifications

FortiCarrier MMS Security Features

MMS Security features

FortiOS Carrier includes all the Security features of FortiOS with extra features specific to MMS carrier networks.

This section includes:

Why scan MMS messages for viruses and malware?

MMS virus scanning

Sender notifications and logging

MMS content-based Antispam protection MMS DLP archiving

Why scan MMS messages for viruses and malware?

The requirement for scanning MM1 content comes from the fact that MMS is an increasingly popular technique for propagating malware between mobile devices.

Example: COMMWARRIOR

This is a virus for Series 60 type cell phones, such as Nokia, operating Symbian OS version 6 [or higher]. The object of the virus is to spread to other phones using Bluetooth and MMS as transport avenues. The targets are selected from the contact list of the infected phone and also sought via Bluetooth searching for other Bluetoothenabled devices (phones, printers, gaming devices etc.) in the proximity of the infected phone.

This virus is more than a proof of concept – it has proven successfully its ability to migrate from a zoo collection to being in-the-wild. Currently, this virus is being reported in over 18 different countries around Europe, Asia and North America.

When the virus first infects a cell phone, a prompt is displayed asking the recipient if they want to install “Caribe”. Symptoms of an infected phone may include rapid battery power loss due to constant efforts by the virus to spread to other phones via a Bluetooth seek-and-connect outreach.

The following variants among others are currently scanned by the FortiOS Carrier devices, in addition to more signatures that cover all known threats.

  • SymbOS/COMWAR.V10B!WORM
  • Aliases: SymbOS.Commwarrior.B, SymbOS/Commwar.B, SymbOS/Commwar.B!wm, SymbOS/Commwar.B-net,

SymbOS/Commwarrior.b!sis, SymbOS/Comwar.B, SymbOS/Comwar.B!wm, SymbOS/Comwar.B-wm, SYMBOS_

COMWAR.B, SymbOS/Comwar.1.0.B!wormSYMBOS/COMWAR.V10B.SP!WORM [spanish version] l First Discovered In The Wild: July 04, 2007 l Impact Level: 1 l Virus Class: Worm l Virus Name Size: 23,320 l SymbOS/Commwar.A!worm

  • Aliases: Commwarrior-A, SymbOS.Commwarrior.A [NAV], SymbOS/Commwar.A-net, SymbOS/Commwar_

ezboot.A-ne, SymbOS/Comwar.A, SymbOS/Comwar.A-wm, SYMBOS_COMWAR.A [Trend]

  • First Discovered In The Wild: May 16 2005 l Impact Level: 1 l Virus Class: Worm l Virus Name Size: 27,936 l SymbOS/Commwarriie.C-wm l Aliases: None l First Discovered In The Wild: Oct 17 2005 l Impact Level: 1 l Virus Class: File Virus l Virus Name Size: None

For the latest list of threats Fortinet devices detect, visit the FortiGuard Center.