Fortinet black logo

Handbook

Encapsulated non-IP end user traffic filtering options

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:495144
Download PDF

Encapsulated non-IP end user traffic filtering options

Depending on the installed environment, it may be beneficial to detect GTP packets that encapsulate non-IP based protocols. You can configure the FortiOS Carrier firewall to permit a list of acceptable protocols, with all other protocols denied.

The encoded protocol is determined in the PDP Type Organization and PDP Type Number fields within the End User Address Information Element. The PDP Type Organization is a 4-bit field that determines if the protocol is part of the ETSI or IETF organizations. Values are zero and one, respectively. The PDP Type field is one byte long. Both GTP specifications list only PPP, with a PDP Type value of one, as a valid ETSI protocol. PDP Types for the IETF values are determined in the “Assigned PPP DLL Protocol Numbers” sections of RFC1700. The PDP types are compressed, meaning that the most significant byte is skipped, limiting the protocols listed from 0x00 to 0xFF.

Encapsulated Non-IP End User Address Filtering
Enable Non-IP Filter Select to enable encapsulated non-IP traffic filtering.
Default Non-IP Action Select the default action for encapsulated non-IP traffic filtering. If you select Allow, all sessions are allowed except those blocked by individual encapsulated non-IP traffic filters. If you select Deny, all sessions are blocked except those allowed by individual encapsulated non-IP traffic filters.
Type The type chosen, AESTI or IETF.
Start Protocol The beginning protocol port number range.
End Protocol The end of the protocol port number range.
Action The type of action that will be taken.
Edit Modify a non-IP filter's settings in the list. When you select Edit, the Edit window appears, which allows you to modify the Non-IP policy settings.
Delete Remove a non-IP policy from the list.
Add Non-IP Policy Add a new encapsulated non-IP traffic filter. When you select Add Non-IP Policy, you are automatically redirected to the New page.
New (window)
Type Select AESTI or IETF.
Start Protocol

End Protocol
Select a start and end protocol from the list of protocols in RFC 1700. Allowed range includes 0 to 255 (0x00 to 0xff). Some common protocols include:

• 33 (0x0021) Internet Protocol
• 35 (0x0023) OSI Network Layer
• 63 (0x003f) NETBIOS Framing
• 65 (0x0041) Cisco Systems
• 79 (0x004f) IP6 Header Compression
• 83 (0x0053) Encryption
Action Select Allow or Deny.

Encapsulated non-IP end user traffic filtering options

Depending on the installed environment, it may be beneficial to detect GTP packets that encapsulate non-IP based protocols. You can configure the FortiOS Carrier firewall to permit a list of acceptable protocols, with all other protocols denied.

The encoded protocol is determined in the PDP Type Organization and PDP Type Number fields within the End User Address Information Element. The PDP Type Organization is a 4-bit field that determines if the protocol is part of the ETSI or IETF organizations. Values are zero and one, respectively. The PDP Type field is one byte long. Both GTP specifications list only PPP, with a PDP Type value of one, as a valid ETSI protocol. PDP Types for the IETF values are determined in the “Assigned PPP DLL Protocol Numbers” sections of RFC1700. The PDP types are compressed, meaning that the most significant byte is skipped, limiting the protocols listed from 0x00 to 0xFF.

Encapsulated Non-IP End User Address Filtering
Enable Non-IP Filter Select to enable encapsulated non-IP traffic filtering.
Default Non-IP Action Select the default action for encapsulated non-IP traffic filtering. If you select Allow, all sessions are allowed except those blocked by individual encapsulated non-IP traffic filters. If you select Deny, all sessions are blocked except those allowed by individual encapsulated non-IP traffic filters.
Type The type chosen, AESTI or IETF.
Start Protocol The beginning protocol port number range.
End Protocol The end of the protocol port number range.
Action The type of action that will be taken.
Edit Modify a non-IP filter's settings in the list. When you select Edit, the Edit window appears, which allows you to modify the Non-IP policy settings.
Delete Remove a non-IP policy from the list.
Add Non-IP Policy Add a new encapsulated non-IP traffic filter. When you select Add Non-IP Policy, you are automatically redirected to the New page.
New (window)
Type Select AESTI or IETF.
Start Protocol

End Protocol
Select a start and end protocol from the list of protocols in RFC 1700. Allowed range includes 0 to 255 (0x00 to 0xff). Some common protocols include:

• 33 (0x0021) Internet Protocol
• 35 (0x0023) OSI Network Layer
• 63 (0x003f) NETBIOS Framing
• 65 (0x0041) Cisco Systems
• 79 (0x004f) IP6 Header Compression
• 83 (0x0053) Encryption
Action Select Allow or Deny.