Policy-Based GTPv1 and Inspection Objects
Learn how GTP policies define rules that permit, deny, or tunnel traffic. The device performs GTP policy filtering by inspecting every GTP packet against these policies and then forwarding, dropping, or tunneling the packet accordingly.
By default, the public land mobile network (PLMN) protected by a Juniper Networks device is placed in the Trust zone. The device protects this PLMN from other PLMNs in different zones. These external PLMNs can be placed in the Untrust zone or in user-defined zones. A PLMN can belong to one or multiple security zones.
To allow traffic between zones and PLMNs, you must configure policies. Policies contain rules to permit, deny, or tunnel traffic. The device performs GTP policy filtering by evaluating each GTP packet against configured policies and then forwarding, dropping, or tunneling it accordingly.
Selecting the GTP service in a policy allows the device to permit, deny, or tunnel GTP traffic, but it does not enable inspection. To inspect GTP traffic, you must apply a GTP configuration (GTP inspection object) to the policy. Only one GTP inspection object can be applied per policy, though it can be reused across multiple policies. Policies also allow you to control the establishment of GTP tunnels from specific peers, such as a Serving GPRS Support Node (SGSN).
Use Feature Explorer to confirm platform and release support for specific features. Additional platforms might be supported.
See the Additional Platform Information section for more information.
Example: Enable GTP Inspection in Policies
This example shows how to enable GTP inspection in policies.
Requirements
Before you begin, the device must be restarted after you enable GTP. By default, GTP is disabled on the device.
Overview
In this example, you configure interfaces as ge-0/0/1 and ge-0/0/2, the addresses are 2.0.0.254/8 and 3.0.0.254/8. You then configure the security zone and specify address as 2.0.0.5/32 and 3.0.0.6/32. You enable the GTP service in the security policies to allow bidirectional traffic between two networks within the same PLMN.
Configuration
CLI Quick Configuration
To quickly configure this section of the example, copy the following commands, paste them
into a text file, remove any line breaks, change any details necessary to match your
network configuration, copy and paste the commands into the CLI at the
[edit] hierarchy level, and then enter commit
from configuration mode.
set security gtp profile gtp1 set interfaces ge-0/0/1 unit 0 family inet address 2.0.0.254/8 set interfaces ge-0/0/2 unit 0 family inet address 3.0.0.254/8 set security zones security-zone sgsn interfaces ge-0/0/1.0 host-inbound-traffic system-services all set security zones security-zone sgsn host-inbound-traffic protocols all set security zones security-zone ggsn interfaces ge-0/0/2.0 host-inbound-traffic system-services all set security zones security-zone ggsn host-inbound-traffic protocols all set security address-book global address local-sgsn 2.0.0.5/32 set security address-book global address remote-ggsn 3.0.0.6/32 set security policies from-zone sgsn to-zone ggsn policy sgsn_to_ggsn match source-address local-sgsn destination-address remote-ggsn application junos-gprs-gtp set security policies from-zone sgsn to-zone ggsn policy sgsn_to_ggsn then permit application-services gprs-gtp-profile gtp1 set security policies from-zone ggsn to-zone sgsn policy ggsn_to_sgsn match source-address remote-ggsn destination-address local-sgsn application junos-gprs-gtp set security policies from-zone ggsn to-zone sgsn policy ggsn_to_sgsn then permit application-services gprs-gtp-profile gtp1
Step-by-Step Procedure
To configure GTP inspection in policies:
Create the GTP inspection object.
[edit] user@host# set security gtp profile gtp1
Configure interfaces.
[edit interfaces] user@host# set ge-0/0/1 unit 0 family inet address 2.0.0.254/8 user@host# set ge-0/0/2 unit 0 family inet address 3.0.0.254/8
Configure security zones.
[edit security zones] user@host# set security-zone sgsn interfaces ge-0/0/1.0 user@host# set security-zone sgsn host-inbound-traffic system-services all user@host# set security-zone sgsn host-inbound-traffic protocols all user@host# set security-zone ggsn interfaces ge-0/0/2.0 user@host# set security-zone ggsn host-inbound-traffic system-services all user@host# set security-zone ggsn host-inbound-traffic protocols all
Specify addresses.
[edit security address-book global] user@host# set address local-sgsn 2.0.0.5/32 user@host# set address remote-ggsn 3.0.0.6/32
Enable the GTP service in the security policies.
[edit security policies] user@host# set from-zone sgsn to-zone ggsn policy sgsn_to_ggsn match source-address local-sgsn destination-address remote-ggsn application junos-gprs-gtp user@host# set from-zone sgsn to-zone ggsn policy sgsn_to_ggsn then permit application-services gprs-gtp-profile gtp1 user@host# set from-zone ggsn to-zone sgsn policy ggsn_to_sgsn match source-address remote-ggsn destination-address local-sgsn application junos-gprs-gtp user@host# set from-zone ggsn to-zone sgsn policy ggsn_to_sgsn then permit application-services gprs-gtp-profile gtp1
Results
From configuration mode, confirm your configuration by entering the show
security command. If the output does not display the intended configuration,
repeat the configuration instructions in this example to correct it.
For brevity, this show output includes only the configuration that is
relevant to this example. Any other configuration on the system has been replaced with
ellipses (...).
[edit]
user@host# show security
...
gtp {
profile gtp1;
}
zones {
security-zone Trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.0;
}
}
...
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.0;
}
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/2.0;
}
}
}
address-book {
global {
address local-sgsn 2.0.0.5/32;
address remote-ggsn 3.0.0.6/32;
}
}
policies {
from-zone sgsn to-zone ggsn {
policy sgsn_to_ggsn {
match {
source-address local-sgsn;
destination-address remote-ggsn;
application junos-gprs-gtp;
}
then {
permit {
application-services {
gprs-gtp-profile gtp1;
}
}
}
}
}
from-zone ggsn to-zone sgsn {
policy ggsn_to_sgsn {
match {
source-address remote-ggsn;
destination-address local-sgsn;
application junos-gprs-gtp;
}
}
then {
permit {
application-services {
gprs-gtp-profile gtp1;
}
}
}
}
default-policy {
permit-all;
}
}
...If you are done configuring the device, enter commit from
configuration mode.
GTP Inspection Objects
For the device to perform the inspection of GPRS tunneling protocol (GTP) traffic, you must
create a GTP inspection object and then apply it to a policy. Use the set
security gprs gtp profile la-ny command to create a GTP inspection object
named la-ny. GTP inspection objects provide more flexibility in that
they allow you to configure multiple policies that enforce different GTP configurations.
You can configure the device to control GTP traffic differently based on source and
destination zones and addresses, action, and so on.
To configure GTP features, you must enter the context of a GTP configuration. To save your
settings in the CLI, you must first exit the GTP configuration and then enter the
commit command.
Example: Create a GTP Inspection Object
This example shows how to create a GTP inspection object.
Requirements
No special configuration beyond device initialization is required before configuring this feature.
Overview
In this example, you create a GTP inspection object named LA-NY. You preserve
most of the default values, and enable the sequence number validation feature.
Configuration
Step-by-Step Procedure
To configure a GTP inspection object:
Create a GTP inspection object.
[edit] user@host# set security gtp profile la-ny
If you are done configuring the device, commit the configuration.
[edit] user@host# commit
Additional Platform Information
Use Feature Explorer to confirm platform and release support for specific features. Additional platforms might be supported.
To accommodate Internet of Things (IoT) and roaming firewall use cases, the GTP tunnel scale per SPU is increased for the SRX5000 line of Firewalls (SRX5400, SRX5600, SRX5800, and SRX4600)
|
Platform |
SRX5000 SPC2 |
SRX5000 SPC3 |
SRX4600 |
|
Pre 19.4 Tunnel Scale per SPU |
600K |
1.2M |
400K |
|
Pre 19.4 Tunnel Scale per SPC |
600K * 4 |
1.2M * 2 |
400k |
|
19.4 onwards Tunnel Scale per SPU |
3M |
12M |
4M |
|
19.4 onwards Tunnel Scale per SPC |
3M * 4 |
12M * 2 |
4M |
To enable IoT and roaming firewall use cases, the GTP tunnel scale is increased for the following SRX Series Firewalls:
|
Platform |
SRX1500 |
SRX4100 |
SRX4200 |
|
Pre 20.1 Tunnel Scale per system |
204800 |
409600 |
819200 |
|
20.1 onwards Tunnel Scale per system |
1024000 |
4096000 |
4096000 |
For vSRX instances, the number of tunnels supported depends on the available system memory.
|
Platform |
Memory |
Tunnel Number |
|
vSRX Virtual Firewall |
4G/6G |
40K |
|
8G/10G/12G/14G |
200K |
|
|
16G/20G/24G/28G |
400K |
|
|
32G/40G/48G |
800K |
|
|
56G/64G |
1600K (1.6M) |
You can configure policies that specify “Any” as the source or destination zone (thereby including all hosts in the zone), and you can configure policies that specify multiple source and destination addresses.
In policies, you can enable traffic logging.