To Configure a GTP Inspection
ObjectTo enable the security device to perform the inspection of GTP traffic, you must create a GTP Inspection Object and then apply it to a policy. GTP Inspection Objects provide more flexibility in that they allow you to configure multiple policies each enforcing different GTP configurations. You can configure the NetScreen device to control GTP traffic differently based on source and destination zones and addresses, action, and so on.
A GTP inspection object is a set of parameters for GTP traffic processing. On this page you can configure the basic parameters for GTP inspection on the NetScreen device.
To Configure a GTP Inspection
ObjectEnter the following information:
GTP Name: Enter a name for the GTP Inspection Object if you are creating a new object. If you are modifying an existing object, this field does not appear.
Minimum Message Length: Enter the minimum length, in octets, of the GTP payload.
Maximum Message Length: Enter the maximum length, in octets, of the GTP payload.
Note: In the GTP header, the message length field indicates the length, in octets, of the GTP payload. It does not include the length of the GTP header itself, the UDP header, or the IP header. The default minimum and maximum GTP message lengths are 0 and 65535, respectively, but you can configure different minimum and maximum values. The security device automatically drops GTP packets that do not meet the minimum or maximum message lengths.
Control Plane Traffic Rate Limit: Select Limited to_pps and enter a number (of packets per second) if you want to limit the rate of incoming GTP-C messages. The default value is Unlimited.
Maximum Number of Tunnels: Select Limited to_tunnels and enter a number (of tunnels) if you want to limit the number of GTP tunnels that can be created in the current GTP Inspection Object per GSN. The default value is Unlimited.
Tunnel Inactivity Timeout: Set a tunnel timeout value in hours. The default is 24 hours. Via the process of stateful inspection, if a security device detects no activity in a tunnel for a specified period of time (timeout), it removes the tunnel from the state table.
Sequence Number Validation: Select this option to enable the NetScreen device to perform Sequence Number Validation. Normally, the receiving GGSN compares the Sequence Number in the packets it received with the sequence number from its counter. If the numbers correspond, the GGSN forwards the packet, if they differ, the GGSN drops the packet. By implementing a security device between the GGSNs, the device can perform this validation for the GGSN and drop “out-of-sequence” packets.
GTP-in-GTP Denied: Select this option to enable the security device to detect and drop a GTP packet that contains another GTP packet in its message body.
Remove R6 IE: If you are running an earlier release, or have contractual agreements with operators running earlier releases of 3GPP, you can reduce network overhead by restricting control messages containing unsupported IEs.
TEID DI: Select this option to configure the security device to perform deep inspection on the tunnel endpoint ID (TEID) in G-PDU data messages.
Click Apply to save your settings.
After you create a GTP Inspection Object and save it, other GTP configuration pages become available: Log, APN + IMSI, Message Drop, Subscriber Trace, and Overbilling.