Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

Example: Enabling GTP Inspection in Policies

This example shows how to enable GTP inspection in policies.

Requirements

Before you begin, the device must be restarted after GTP is enabled. By default, GTP is disabled on the device.

Overview

In this example, you configure interfaces as ge-0/0/1 and ge-0/0/2, the addresses are 2.0.0.254/8 and 3.0.0.254/8. You then configure the security zone and specify address as 2.0.0.5/32 and 3.0.0.6/32. You enable the GTP service in the security policies to allow bidirectional traffic between two networks within the same PLMN.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

set security gprs gtp profile gtp1set interfaces ge-0/0/1 unit 0 family inet address 2.0.0.254/8 set interfaces ge-0/0/2 unit 0 family inet address 3.0.0.254/8 set security zones security-zone sgsn interfaces ge-0/0/1.0 host-inbound-traffic system-services allset security zones security-zone sgsn host-inbound-traffic protocols allset security zones security-zone ggsn interfaces ge-0/0/2.0 host-inbound-traffic system-services allset security zones security-zone ggsn host-inbound-traffic protocols allset security address-book global address local-sgsn 2.0.0.5/32set security address-book global address remote-ggsn 3.0.0.6/32set security policies from-zone sgsn to-zone ggsn policy sgsn_to_ggsn match source-address local-sgsn destination-address remote-ggsn application junos-gprs-gtpset security policies from-zone sgsn to-zone ggsn policy sgsn_to_ggsn then permit application-services gprs-gtp-profile gtp1set security policies from-zone ggsn to-zone sgsn policy ggsn_to_sgsn match source-address remote-ggsn destination-address local-sgsn application junos-gprs-gtpset security policies from-zone ggsn to-zone sgsn policy ggsn_to_sgsn then permit application-services gprs-gtp-profile gtp1

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode .

To configure GTP inspection in policies:

  1. Enable GTP.
    [edit]user@host# set security gprs gtp enableuser@host# commituser@host# exituser@host# request system reboot
  2. Create the GTP inspection object.
    [edit]user@host# set security gprs gtp profile gtp1
  3. Configure interfaces.
    [edit interfaces]user@host# set ge-0/0/1 unit 0 family inet address 2.0.0.254/8user@host# set ge-0/0/2 unit 0 family inet address 3.0.0.254/8
  4. Configure security zones.
    [edit security zones]user@host# set security-zone sgsn interfaces ge-0/0/1.0user@host# set security-zone sgsn host-inbound-traffic system-services alluser@host# set security-zone sgsn host-inbound-traffic protocols alluser@host# set security-zone ggsn interfaces ge-0/0/2.0user@host# set security-zone ggsn host-inbound-traffic system-services alluser@host# set security-zone ggsn host-inbound-traffic protocols all
  5. Specify addresses.
    [edit security address-book global]user@host# set address local-sgsn 2.0.0.5/32user@host# set address remote-ggsn 3.0.0.6/32
  6. Enable the GTP service in the security policies.
    [edit security policies]user@host# set from-zone sgsn to-zone ggsn policy sgsn_to_ggsn match source-address local-sgsn destination-address remote-ggsn application junos-gprs-gtpuser@host# set from-zone sgsn to-zone ggsn policy sgsn_to_ggsn then permit application-services gprs-gtp-profile gtp1user@host# set from-zone ggsn to-zone sgsn policy ggsn_to_sgsn match source-address remote-ggsn destination-address local-sgsn application junos-gprs-gtpuser@host# set from-zone ggsn to-zone sgsn policy ggsn_to_sgsn then permit application-services gprs-gtp-profile gtp1

Results

From configuration mode, confirm your configuration by entering the show security command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

For brevity, this show output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).

[edit]
user@host# show security
...
gprs {
gtp {
profile gtp1;
  }
}
zones {
security-zone Trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
  }
}
interfaces {
ge-0/0/1.0;
  }
}
...

host-inbound-traffic {
system-services {
all;
}
protocols {
all;
  }
}
interfaces {
ge-0/0/1.0;
  }
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
  }
}
interfaces {
ge-0/0/2.0;
   }
}
}
address-book {
global {
address local-sgsn 2.0.0.5/32;
address remote-ggsn 3.0.0.6/32;
   }
}
policies {
from-zone sgsn to-zone ggsn {
policy sgsn_to_ggsn {
match {
source-address local-sgsn;
destination-address remote-ggsn;
application junos-gprs-gtp;
}
then {
permit {
application-services {
gprs-gtp-profile gtp1;
   }
   }
  }
  }
}
from-zone ggsn to-zone sgsn {
policy ggsn_to_sgsn {
match {
source-address remote-ggsn;
destination-address local-sgsn;
application junos-gprs-gtp;
}
}
then {
permit {
application-services {
gprs-gtp-profile gtp1;
     }
     }
  }
  }
default-policy {
permit-all;
}
}
...

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying GTP Inspection in Policies

Purpose

Verify that GTP inspection is enabled.

Action

From operational mode, enter the show security command.

 

Related Documentation

 

Published: 2015-02-11

Previous Page Next Page