| Description |
The article describes which part in the GTP packet is checked for SGSN, GGSN, and handover authorization. |
| Scope | FortiGate. |
| Solution |
In the GTP profile there are fields to configure handover, authorized SGSNs and authorized GGSN with IP address objects so that incoming GTP requests will be checked against these:
If these controls are enabled, the below logs can be seen during inspection depending on configured address groups :
Date=2023-02-06 time=02:46:05 eventtime=1675680364967068341 tz="-0800" logid="1400041224" type="gtp" subtype="gtp-all" level="information" vd="root" profile="my_gtp_profile_inbound" status="prohibited-monitor" version=2 msg-type=32 from=10.109.5.80 to=10.103.5.80 deny_cause="sgsn-not-authorized" ietype=0 dtlexp="none" srcport=50981 dstport=2123 seqnum=538 tunnel-idx=0 imsi="204047573162248" msisdn="33745656144" apn="live.vodafone.com.mnc004.mcc204.gprs" selection="apns-vrf" imei-sv="86840704.109184.40" rat-type="eutran" end-usr-address=unknown headerteid=0 snetwork="284.5" cpaddr=10.10.10.20 cpteid=69305385 uli="TAI:284.5.1F5|ECGI:284.5.108103" ulimcc=284 ulimnc=5
In the logs, there are from, to, and cpaddr IP addresses.
GTP inspection does SGSN, GGSN, and handover authorization checking based on F-TEID(Fully Qualified Tunnel Endpoint Identifier) IPv4 part of GTP packet. It can be seen in an example capture like below :
F-TEID IPv4 can be different from the IPs in the IP header depending on the mobile architecture. In case of no authorized logs are seen, the IP specified as 'cpaddr' should be checked against relevant IP address objects. |
