profile (Security GTP)
Syntax
profile profile_name { apn pattern-string { imsi-prefix imsi-prefix-digits { action { drop; pass; selection { ms; net; vrf; } } } } drop { aa-create-pdp 0; aa-delete-pdp 0; bearer-resource 2; change-notification 2; config-transfer 2; context 2; create-bearer 2; create-data-forwarding 2; create-pdp (0 | 1 | all); create-session 2; create-tnl-forwarding 2; cs-paging 2; data-record (0 | 1 | all); delete-bearer 2; delete-command 2; delete-data-forwarding 2; delete-pdn 2; delete-pdp (0 | 1 | all); delete-session 2; detach 2; downlink-notification 2; echo (0 | 1 | 2 | all); error-indication (0 | 1 | all); failure-report (0 | 1 | all); fwd-access 2; fwd-relocation (1 | 2 | all); fwd-srns-context 1; g-pdu (0 | 1 | all); identification (0 | 1 | 2 | all); mbms-session-start (1 | 2 | all); mbms-session-stop (1 | 2 | all); mbms-session-update (1 | 2 | all); modify-bearer 2; modify-command 2; node-alive (0 | 1 | all); note-ms-present (0 | 1 | all); pdu-notification (0 | 1 | all); ran-info (1 | 2 | all); redirection (0 | 1 | all); release-access 2; relocation-cancel (1 | 2 | all); resume 2; send-route (0 | 1 | all); sgsn-context (0 | 1 | all); stop-paging 2; supported-extension 1; suspend 2; trace-session 2; update-bearer 2; update-pdn 2; update-pdp (0 | 1 | all); ver-not-supported (0 | 1 | 2 | all); } end-user-address-validated; gtp-in-gtp-denied; handover-group group-name; handover-on-roaming-intf; listening-mode; log { forwarded (basic | detail); gtp-u name; prohibited (basic | detail); rate-limited (basic | detail); state-invalid (basic | detail); } max-message-length max-message-length; min-message-length min-message-length; must-ie-v1 msgie-prf-v1-name; must-ie-v2 msgie-prf-v2-name; ne-group group-name; path-rate-limit { message-type (create-req | delete-req | echo-req | other) { alarm-threshold { forward forward; reverse reverse; } drop-threshold { forward forward; reverse reverse; } } } rate-limit { alarm-threshold alarm-threshold; drop-threshold drop-threshold; } remove-ie { version v1 { release name; } } remove-ie-v1 ieset-name; remove-ie-v2 ieset-name; req-timeout seconds; restart-path (all | create | echo); seq-number-validated; timeout hours; u-tunnel-validated; ue-group group-name; }
Hierarchy Level
[edit security gtp]
Description
Use the profile option to create a profile for the GPRS tunneling protocol (GTP) feature. This profile includes all subsequent configuration options.
From Junos OS Release 20.4R1 onwards, the [edit security gprs gtp]
hierarchy level is replaced by [edit security gtp]
.
Options
-
apn-control
–You can specify APN control profile using APN string. APN string consists of Network Identifier (NI) and Operator Identifier (OI). You can specify APN in the below formats:- <NI>: for example internet, internet.public
- <NI>.<OI>: for example internet.mnc005.mcc244.gprs, internet.public.mnc005.mcc244.gprs
APN string configuration supports wild card “*” in place of OI. You can specify APN as <NI>.”*” and configure the matching APN string. You don’t need to specify the OI when you configure APN using wild card “*”.
You can also use this configuration to group all the APNs with the same rate limiting requirements and apply the group to the GTP profile.
end-user-address-validated
—During the GTP-U security check procedure, IPv4 and IPv6 addresses for user equipment is checked against the end-user address stored in the user tunnel. Once the GTP-U packet is determined to match the user equipment address, the packet data unit (PDU) is parsed to obtain the user equipment address. Use the end-user-address-validated function to validate the IP address. By default, the UE address check is disabled, it will not check the IP address of GTP-U payload.gtp-in-gtp-denied
—To enable the security device to detect and drop a GTP packet that contains another GTP packet in its message body.handover-on-roaming-intf
—To enable the security device to receive context and forward relocation messages, inspect the packets, and to set up PDP contexts on the device.u-tunnel-validated
—To specify GTP-U tunnel validation. When u-tunnel-validated is enabled, the GTP ALG checks whether the tunnel endpoint identifier (TEID) in the GTP-U packet matches the user tunnel in the tunnel table. If the user tunnel is not found, then the GTP-U packet is dropped. By default, the check is disabled.must-ie-v1
—To check the presence of IEs that should be contained in a GTPv1 message. The device checks the presence of Must-IEs of specific GTP messages and forwards the messages only if Must-IEs are present.must-ie-v2
—To check the presence of IEs that should be contained in a GTPv2 message. The device checks the presence of Must-IEs of specific GTP messages and forwards the messages only if Must-IEs are present.remove-ie-v1
—To remove IEs of specific types from all messages for GTPv1. This helps to remove all instances of specified IEs such as supporting IE, Grouped IE, Embedded IE, or embedded grouped IE.remove-ie-v2
—To remove IEs of specific types from all messages for GTPv2. This helps to remove all instances of specified IEs such as supporting IE, Grouped IE, Embedded IE, or embedded grouped IE.
The remaining statements are explained separately. See CLI Explorer.
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release
10.0. The restart-path
option added in Junos OS Release
11.4. New GPRS tunneling protocol (GTP) message types added in Junos
OS Release 11.4. Support for GTPv2 added in Junos OS Release 11.4.
Statement modified in Junos OS Release 15.1X49-D40.The must-ie-v1
, must-ie-v2
, remove-ie-v1
, and remove-ie-v2
options added in Junos OS Release 20.2R1.