Technical Tip: How to make sure that FortiGate does not inspect GTP traffic after a GTP profile is removed from a firewall policy

Description

This article explains how to make sure that the GTP traffic hitting a specific firewall policy will not be inspected when a GTP profile is removed from a firewall policy.

Scope

FortiCarrier, GTP.

Solution

On FortiCarrier, when a GTP profile is removed from a firewall policy, the GTP traffic will still be inspected and it follows the default GTP profile configured on the FortiGate. GTP inspected traffic entries are still showed in GTP logs.

To make sure that the GTP inspection will not happen once a GTP profile is removed from a specific firewall policy:

• Create a custom service and set the helper for the related GTP_C ports 2123, 3386 and GTP_U 2152 to disable:

config firewall service custom

    edit "GTP_no_inspection"

        set helper disable

        set udp-portrange 2123 2152 3386

    next

end

• Apply the custom service to the specific firewall policies where the GTP traffic should not be inspected:

config firewall policy

    edit 100

        set name "GTP traffic not inspected"
        set srcintf "port3"
        set dstintf "port4"
        set action accept
        set srcaddr "GTP-traffic-source"
        set dstaddr "GTP-traffic-destination"
        set schedule "always"
        set service "GTP_no_inspection"
        set comments "GTP inspection disabled"

    next

end

On FortiCarrier, removing the GTP profile from a firewall policy is not sufficient to avoid inspection of GTP traffic hitting that firewall policy.

Related articles:

• Technical Tip: GTP inspection not happening 
• Technical Tip: How to enable support for GTP-U sessions with dynamic source ports 
• Technical Tip: What is checked in GTP for GGSN, SGSN, and handover authorization 
• IMSI on carrier networks - FortiOS Carrier docs