show security gtp profile
Syntax
show security gtp profile (profile-name | all)
Description
Use this command to display the GTP configuration. IP addresses in GPRS tunneling protocol (GTP) message on Gp or the S8 interface are validated with the configured IP group list to prevent attacks. The GTP firewall determines the IP addresses in GTP messages and matches with the configured IP group list. Based on the match criteria, valid GTP messages are forwarded to Packet and Forwarding Engine, and invalid GTP messages are dropped.
From Junos OS Release 20.4R1 onwards, show security gprs gtp configuration is
replaced by show security gtp profile
<profile_name>. The identifier
option is replaced by profile-name in Junos OS
Release 20.4R1.
Options
profile-name —Displays specific GTP profile.
all —Displays all the GTP profile list.
Required Privilege Level
view
Output Fields
Table 1 lists
the output fields for the show security gtp profile GTP command. Output fields are listed in the approximate order in which
they appear.
Field Name |
Field Description |
|---|---|
Index |
An internal number associated with the GTP message. |
Min Message Length |
Displays minimum message payload length (in bytes). |
Max Message Length |
Displays maximum message payload length (in bytes). |
Timeout |
Elapsed time without activity after which the profile is terminated. |
Rate Limit Alarm Threshold Rate Limit Drop Threshold |
Displays limit rate of control traffic to any GSN defined in a GTP profile. A drop threshold option and an alarm threshold option reduces the duplicate drop logs for destination GSN. |
Remove R6Remove R7Remove R8Remove R9 |
Displays count of IEs that are removed from GTP messages. |
Deny Nested GTP |
Represents the deny of nested GTP profiles. |
Validated |
Represents validated address of the end user. |
Restart Path |
Represents the restart status of the GTP path. |
Log Forwarded |
Represents packets that the security device transmitted because it was valid. |
Log event |
A packet that the security device dropped because it failed stateful inspection, log alarms, and tunnel management events. |
Log Prohibited |
packet that the security device dropped because it was invalid. |
Log Ratelimited |
A packet that the security device dropped because it exceeded the maximum rate limit of the destination GSN. |
Drop AA Create PDU |
Represents Create AA PDU Context Request and Create AA PDU Context Response messages. |
Drop AA Delete PDU |
Represents Delete AA PDP Context Request and Delete AA PDP Context Response messages. |
Drop Bearer Resource |
Represents Bearer Resource Command and Bearer Resource Failure messages. |
Drop Change Notification |
Represents Change Notification Request and Change Notification Response messages. |
Drop Config Transfer |
Represents Configuration Transfer Tunnel messages. |
Drop Context |
Represents Context Request and Context Response messages. |
Drop Create Bear |
Represents Create Bearer Request and Create Bearer Response messages. |
Drop Create Data Forwarding |
Represents Create Indirect Data Forwarding Request and Create Indirect Data Forwarding Response messages. |
Drop Create PDU |
Represents Create PDU Context Request and Create PDU Context Response messages. |
Drop Create Session |
Represents Create Session Request and Create Session Response messages. |
Drop Create Forwarding Tnl |
Represents Create Forwarding Tunnel Request and Create Forwarding Tunnel Response messages. |
Drop CS Paging |
Represents CS Paging Indication messages. |
Drop Data Record |
Represents Data Record Request and Data Record Response messages. |
Drop Delete Bearer |
Represents Delete Bearer Request and Delete Bearer Response messages. |
Drop Delete Command |
Represents Delete Bearer Command and Delete Bearer Failure messages. |
Drop Delete Data Forwarding |
Represents Delete Indirect Data Forwarding Request and Delete Indirect Data Forwarding Response messages. |
Drop Delete PDN |
Represents Delete PDN Connection Set Request and Delete PDN Connection Set Response messages |
Drop Delete PDP |
Represents Delete PDP Context Request and Delete PDP Context Response messages. |
Drop Delete Session |
Represents Delete Session Request and Delete Session Response messages. |
Drop Detach |
Represents Detach Notification and Detach Acknowledgement messages. |
Drop Downlink Notification |
Represents Downlink Data Notification, Downlink Data Acknowledgement, and Downlink Data Notification Failure Indication messages. |
Drop Echo |
Represents Echo Request and Echo Response messages. |
Drop Error Indication |
Represents Error Indication messages. |
Drop Failure Report |
Represents Failure Report Request and Failure Report Response messages. |
Drop FWD Access |
Represents Forward Access Context Notification and Forward Access Context Acknowledgment messages. |
Drop FWD Relocation |
Represents Forward Relocation Request, Forward Relocation Response, Forward Relocation Complete, and Forward Relocation Complete Acknowledge messages. |
Drop FWD SRNS Context |
Represents Forward SRNS Context Request and Forward SRNS Context Response messages. |
Drop G-PDU |
Represents G-PDU and T-PDU messages. |
Drop Identification |
Represents Identification Request and Identification Response messages. |
Drop MBMS Sess Start |
Represents MBMS Session Start Request and MBMS Session Start Response messages. |
Drop MBMS Sess Stop |
Represents MBMS Session Stop Request and MBMS Session Stop Response messages. |
Drop MBMS Sess Update |
Represents MBMS Session Update Request and MBMS Session Update Response messages. |
Drop Modify Bearer |
Represents Modify Bearer Request and Modify Bearer Response messages. |
Drop Modify Command |
Represents Modify Bearer Command and Modify Bearer Failure messages. |
Drop Node Alive |
Represents Node Alive Request and Node Alive Response messages. |
Drop Note MS Present |
Represents Note MS GPRS Present Request and Note MS GPRS Present Response messages. |
Drop PDU Notification |
Represents PDU Notification request and PDU Notification response messages. |
Drop Ran Info |
Represents Ran Info Relay messages. |
Drop Redirection |
Represents Redirection Request and Redirection Response messages. |
Drop Release Access |
|
Drop Relocation Cancel |
Represents Relocations Cancel Request and Relocation Cancel Response messages. |
Drop Resume |
Represents Resume Notification and Resume Acknowledgement messages. |
Drop Send Route |
Represents Send Route Info Request and Send Route Info Response messages. |
Drop SGSN Context |
Represents SGSN Context Request and SGSN Context Response messages. |
Drop Stop Paging |
Represents Stop Paging Indication messages. |
Drop Supported Extension |
Represents Supported Extension Headers Notification messages. |
Drop Suspend |
Represents Suspend Notification and Suspend Acknowledgement messages. |
Drop Trace Session |
Represents Trace Session Activation in GTP. |
Drop Update Bearer |
Represents Update Bearer Request and Update Bearer Response messages. |
Drop Update PDN |
Represents Update PDN Set Connection Request and PDN Set Connection Response messages. |
Drop Update PDP |
Represents Update PDP Request and Update PDP Response messages. |
Drop Ver Not Supported |
Represents Version Not Supported messages. |
Handover group name |
Name of the handover IP address group. |
NE group name |
Name of the network equipment group. |
UE group name |
Name of the user equipment group. |
Must-IE profile V1 |
Represents GTPv1 Must-IE check. |
Must-IE profile V2 |
Represents GTPv2 Must-IE check. |
Remove-ie-set V1 |
Represents GTPv1 IE Removal. |
Remove-ie-set V2 |
Represents GTPv2 IE Removal. |
Listening-mode |
Represents listening-mode for GTP inspection. |
Sample Output
Refer the following sample outputs for Junos OS 20.3R1 or previous releases
- show security gtp configuration all (GTP Profile)
- show security gtp configuration 1 (GTP Profile)
- show security gtp profile name (listening-mode, rate-limit, log event)
show security gtp configuration all (GTP Profile)
user@host> show security gtp configuration all
GTP Profile List (id, name):
1 GTP
show security gtp configuration 1 (GTP Profile)
user@host> show security gtp configuration 1
Profile Details:
Index : 1
Min Message Length : 0
Max Message Length : 65535
Timeout : 1000
Rate Limit : 0
Request Timeout : 0
Remove IE V1 : 172, 180, 181, 182, 183, 184, 199
Remove IE V2 : 255
Deny Nested GTP : 0
Validated : 0
Passive learning enable : 0
Restart Path : 0
Log Forwarded : 0
Log State Invalid : 0
Log Prohibited : 0
Log Ratelimited : 0
Frequency Number : 0
Drop AA Create PDU : 0
Drop AA Delete PDU : 0
Drop Bearer Resource : 0
Drop Change Notification : 0
Drop Config Transfer : 0
Drop Context : 0
Drop Create Bear : 0
Drop Create Data Forwarding : 0
Drop Create PDU : 0
Drop Create Session : 0
Drop Create Forwarding Tnl : 0
Drop CS Paging : 0
Drop Data Record : 0
Drop Delete Bearer : 0
Drop Delete Command : 0
Drop Delete Data Forwarding : 0
Drop Delete PDN : 0
Drop Delete PDP : 0
Drop Delete Session : 0
Drop Detach : 0
Drop Downlink Notification : 0
Drop Echo : 0
Drop Error Indication : 0
Drop Failure Report : 0
Drop FWD Access : 0
Drop FWD Relocation : 0
Drop FWD SRNS Context : 0
Drop G-PDU : 0
Drop Identification : 0
Drop MBMS Sess Start : 0
Drop MBMS Sess Stop : 0
Drop MBMS Sess Update : 0
Drop Modify Bearer : 0
Drop Modify Command : 0
Drop Node Alive : 0
Drop Note MS Present : 0
Drop PDU Notification : 0
Drop Ran Info : 0
Drop Redirection : 0
Drop Release Access : 0
Drop Relocation Cancel : 0
Drop Resume : 0
Drop Send Route : 0
Drop SGSN Context : 0
Drop Stop Paging : 0
Drop Supported Extension : 0
Drop Suspend : 0
Drop Trace Session : 0
Drop Update Bearer : 0
Drop Update PDN : 0
Drop Update PDP : 0
Drop Ver Not Supported : 0
Handover group name : N/A
NE group name : N/A
UE group name : N/A
Must-ie profile V1 : msgie-v1
Must-ie profile V2 : msgie-v2
Remove-ie-set V1 : ieset-v1-r7
Remove-ie-set V2 : ieset-v2
Refer the following sample output for Junos OS 20.4R1 or later releases.
show security gtp profile name (listening-mode, rate-limit, log event)
user@host> show security gtp profile gtp1
Profile Details:
Index : 1
Min Message Length : 0
Max Message Length : 65535
Timeout : 1000
Rate Limit Alarm Threshold : 400
Rate Limit Drop Threshold : 800
Rate Limit GTPv0 Message : 16, 18, 20, 22, 24
Rate Limit GTPv1 Message : 16, 20
Rate Limit GTPv2 Message : 32, 34, 36, 95, 99
Request Timeout : 6
Deny Nested GTP : 0
Validated : 1
……
APN Control : apn1
Refer the following sample output for Junos OS 21.2R1 or later releases.
show security gtp profile name (listening-mode, rate-limit, log event)
user@host> show security gtp profile gtp1
Profile Details:
Index : 1
Min Message Length : 0
Max Message Length : 65535
Timeout : 1000
Rate Limit Alarm Threshold : 2
Rate Limit Drop Threshold : 0
Request Timeout : 0
GTP-in-GTP Denied : 1
User Tunnel Validation : 1
Sequnecy Number Validation : 1
End User Address Validation : 1
Listening-mode : enabled
Restart Path : 0
Log Forwarded : 0
Log Event : 1
Log Prohibited : 0
Log Ratelimited : 0
Log GTP-U : none
Drop AA Create PDU : 0
Drop AA Delete PDU : 0
Drop Bearer Resource : 0
Drop Change Notification : 0
Drop Config Transfer : 0
Drop Context : 0
Drop Create Bear : 0
Drop Create Data Forwarding : 0
Drop Create PDU : 0
Drop Create Session : 0
Drop Create Forwarding Tnl : 0
Drop CS Paging : 0
Drop Data Record : 0
Drop Delete Bearer : 0
Drop Delete Command : 0
Drop Delete Data Forwarding : 0
Drop Delete PDN : 0
Drop Delete PDP : 0
Drop Delete Session : 0
Drop Detach : 0
Drop Downlink Notification : 0
Drop Echo : 0
Drop Error Indication : 0
Drop Failure Report : 0
Drop FWD Access : 0
Drop FWD Relocation : 0
Drop FWD SRNS Context : 0
Drop G-PDU : 0
Drop Identification : 0
Drop MBMS Sess Start : 0
Drop MBMS Sess Stop : 0
Drop MBMS Sess Update : 0
Drop Modify Bearer : 0
Drop Modify Command : 0
Drop Node Alive : 0
Drop Note MS Present : 0
Drop PDU Notification : 0
Drop Ran Info : 0
Drop Redirection : 0
Drop Release Access : 0
Drop Relocation Cancel : 0
Drop Resume : 0
Drop Send Route : 0
Drop SGSN Context : 0
Drop Stop Paging : 0
Drop Supported Extension : 0
Drop Suspend : 0
Drop Trace Session : 0
Drop Update Bearer : 0
Drop Update PDN : 0
Drop Update PDP : 0
Drop Ver Not Supported : 0
Handover group name : N/A
NE group name : N/A
UE group name : N/A
Must-ie profile V1 : N/A
Must-ie profile V2 : N/A
Remove-ie-set V1 : N/A
Remove-ie-set V2 : N/A
Release Information
Command introduced in Junos OS Release
19.3R1. The identifier option is replaced by profile-name in Junos OS Release 20.4R1.