|
config gtp message-filter-v2 has many configuration options to allow or deny specific message types and also to set a white list for specific message types. One can configure a profile like below:
config gtp message-filter-v2
edit "GTP_KB_example"
set context-req-res-ack deny
set unknown-message-white-list 130 131 132
next
end
When checked in the reference guide, it can be seen that context-req-res-ack corresponds to the message types 130, 131, and 132 :
config gtp message-filter-v2
In this case, with the 'context-req-res-ack deny' message types 130,131 and 132 configured to be denied but on the other hand with the 'unknown-message-white-list' these messages tried to be allowed. In this case, 'context-req-res-ack deny' will take precedence, and requests for message types 130, 131, and 132 will be denied:
Aug 20 10:01:44 fgt1 date=2024-08-20 time=10:01:44 devname="fgt1" devid="FG420Fxxxxxxxx" eventtime=1718092903821382951 tz="+0200" logid="1400041224" type="gtp" subtype="gtp-all" level="information" vd="test" profile="gtp-profile-inbound" status="prohibited-monitor" version=2 msg-type=131 msgtypename="context_response" from=x.x.x.x to=y.y.y.y deny_cause="msg-filter" ietype=0 dtlexp="none" srcport=2123 dstport=2123 seqnum=4013396 tunnel-idx=0 imsi="unknown" msisdn="unknown" apn="unknown" imei-sv="unknown" end-usr-address=unknown headerteid=2812280841 timeoutdelete=0 snetwork="unknown" uli="unknown"
Recommendation: Use 'unknown-message-white-list' only if message types do not have a specific configuration option in the below reference document. Otherwise, settings might not work as intended.
Related document for FortiOS 7.2.8:
GTPv2 message filtering
|
