Table of Contents
Advertisement
Network and Security Manager Administration Guide
Configuring IMSI Prefix and APN Filtering
384
To configure GTP logging, select basic or extended for each GTP packet status:
Log Forwarded Packets—When enabled, the device creates a log entry for each GTP
packet that was transmitted because it was permitted by the security policy.
Log Dropped Packet Due to Type/Length/Version—When enabled, the device creates
a log entry for each GTP packet that was dropped because it was denied by the security
policy.
Log Dropped Packet Due to Invalid State—When enabled, the device creates a log
entry for each GTP packet that was dropped because it failed stateful inspection.
Log Dropped Packet Due to GSN Tunnel Limit—When enabled, the device creates a
log entry for each GTP packet that was dropped because the maximum limit of GTP
tunnels for the destination GSN was reached.
Log Dropped Packet Due to GSN Rate Limit—When enabled, the device creates a log
entry for each GTP packet that was dropped because the maximum rate limit of the
destination GSN was reached.
You can also specify the frequency that a security device creates log entries for
rate-limited messages. Setting a logging frequency conserves resources on the syslog
server and security device, and can avoid a logging overflow of messages. By default,
the frequency is 2, meaning the security device creates a log entry for every two
messages above the set rate limit.
To view GTP traffic log entries, use the Log Viewer.
You can use the IMSI Prefix and APN to restrict access to a specific set of mobile
subscribers.
Creating an APN Filter
An Access Point Name (APN) is included in the header of a GTP packet, and provides
information on how to reach a network. By default, a security device permits all APNs.
However, you can configure the device to filter APNs, enabling access only for those APNs
you specify, and restricting roaming subscribers' access to external networks.
You can specify up to 2000 permitted APNs. When APN filtering is enabled, it applies
only to " create pdp request" messages. For these messages to pass an APN filter, the
GTP packet must match both the APN name filter and the Selection Mode filter:
APN Domain Name filter—The device attempts to match the APN in a GTP packet to
the APNs set in the GTP object. If the two APNs match, the device passes the packet
to the selection mode filter.
Selection Mode Filter—The device attempts to match the Selection Mode for the GTP
packet and the GTP object. If the two modes match, the device forwards the GTP
packet; if the modes do not match, the device drops the GTP packet.
Additionally, you can filter GTP packets based on the combination of an IMSI prefix and
an APN. For details, see "Creating an IMSI Prefix Filter" on page 385.
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Table of Contents
