To Configure an APN and IMSI
Prefix FilterYou can configure a security device to filter GTP packets based on an IMSI prefix, an APN, or on the combination of an IMSI prefix and an APN.
An Access Point Name (APN) is an Information Element (IE) included in the header of a GTP packet that provides information on how to reach a network. An APN is composed of two elements:
A network ID, which identifies the name of an external network such as “mobiphone.com”
An operator ID, which uniquely identifies the operators’ PLMN such as “mnc123.mcc456”
By default, the security device permits all APNs. However, you can configure the security device to perform APN filtering to restrict roaming subscribers’ access to external networks.
APN filtering applies only to “create pdp request” messages. When performing APN filtering, the security device inspects GTP packets looking for APNs that match APNs that you configured. If the APN of a GTP packet matches an APN that you specified, the security device then verifies the Selection Mode and only forwards the GTP packet if both the APN and the Selection Mode match the APN and the Selection Mode that you specified. Because APN filtering is based on perfect matches, using the wildcard “*” as the first character when defining an APN suffix may prevent the inadvertent exclusion of APNs that you would otherwise authorize. The security device automatically permits all other APNs that do not match.
An IMSI is composed of three elements: the MCC (Mobile Country Code), the MNC (Mobile Network Code), and MSIN (Mobile Subscriber Identification Number). The MCC and MNC combined constitute the IMSI prefix and identify the mobile subscriber’s home network, or PLMN.
You can configure the security device to deny GTP traffic coming from non-roaming partners by setting IMSI prefixes. By default, a security device does not perform IMSI prefix filtering on GTP packets. By setting IMSI prefixes, you configure the security device to filter “create pdp request” messages and only permit GTP packets with IMSI prefixes that match the ones you set. The security device drops GTP packets with IMSI prefixes that do not match any of the IMSI prefixes that you set. You can set up to 1000 IMSI prefixes.
The APN list displays the following information for each configured APN:
Mobile Country Network Code: The number composing the IMSI prefix.
Access Point Name: The name of the APN, including the domain name of the network and the operator ID. Wildcards can appear in the domain name portion, for example, "*mobiphone.com.mnc123.mcc456.gprs"
Mobile Station: A checkmark indicates that the mobile station provided the APN and that the HLR did not verify the user’s subscription to the network.
Network: A checkmark indicates that the network provided a default APN because the MS did not specify one, and that the HLR did not verify the user’s subscription to the network.
Verified: A checkmark indicates that the MS or the network provided the APN and that the HLR verified the user’s subscription to the network.
Configure: Click Remove to delete the filter from the list.
To Configure an APN and IMSI
Prefix FilterClick New. For more information on configuring a new APN, see GTP APN and IMSI Prefix Configuration.