To Configure an APN and IMSI
Prefix FilterA NetScreen device can filter GTP packets based on either or the combination of an IMSI prefix and an APN.
By default, the NetScreen device permits all APNs. However, you can configure the device to perform APN filtering to restrict roaming subscribers’ access to external networks. You can configure up to 2000 APNs.
To enable APN filtering, you must specify one or more APNs. To set an APN, you need to know the domain name of the network (for example, “mobiphone.com”), and the operator ID. Because the domain name (network ID) portion of an APN can potentially be very long and contain many characters, you can use the wildcard “*” as the first character of the APN. The wild card indicates that the APN is not limited only to “mobiphone.com”, but also includes all the characters that might precede it.
You must also set a Selection Mode for the APN. The Selection Mode indicates the origin of the APN and whether or not the HLR (Home Location Register) verified the user-subscription. You set the Selection Mode according to the security needs of your network. The possible Selection Modes are the following:
APN filtering applies only to “create pdp request” messages. When performing APN filtering, the NetScreen device inspects GTP packets looking for APNs that match APNs that you set. If the APN of a GTP packet matches an APN that you specified, the NetScreen device then verifies the Selection Mode and only forwards the GTP packet if both the APN and the Selection Mode match the APN and the Selection Mode that you specified. Because APN filtering is based on perfect matches, using the wildcard “*” when setting an APN suffix can prevent the inadvertent exclusion of APNs that you would otherwise authorize. The NetScreen device automatically denies all other APNs that do not match.
A GSN (GPRS Support Node) identifies a mobile station by its IMSI (International Mobile Station Identity). An IMSI is composed of three elements: the MCC (Mobile Country Code), the MNC (Mobile Network Code), and MSIN (Mobile Subscriber Identification Number). The MCC and MNC combined constitute the IMSI prefix and identify the mobile subscriber’s home network, or PLMN.
You can configure the NetScreen device to deny GTP traffic coming from non-roaming partners by setting IMSI prefixes. By default, a NetScreen device does not perform IMSI prefix filtering on GTP packets. By setting IMSI prefixes, you configure the NetScreen device to filter “create pdp request” messages and only permit GTP packets with IMSI prefixes that match the ones you set. The NetScreen device drops GTP packets with IMSI prefixes that do not match any of the IMSI prefixes that you set. You can set up to 1000 IMSI prefixes.
To Configure an APN and IMSI
Prefix FilterEnter the following information:
Access Point Name: Set an APN suffix, for example, “netscreen.com.mcc123.mnc456.gprs”.
Note: Because APN filtering is based on perfect match, using the wildcard “*” when setting an APN suffix might prevent the inadvertent exclusion of APNs that you would otherwise authorize. The NetScreen device automatically drops all other APNs that do not match.
Mobile Country-Network Code: Specify an IMSI prefix. The MCC-MNC pair can be five or six digits.
Selection Mode: Select Mobile Station, Network, or Verified. For information on these selections, see the definitions in the Access Point Name section above.
Click OK to save yours settings.