j. GPRS Tunneling Protocol (GTP)
- Svetlana Sheptiy
- Karein Directo (Unlicensed)
Records GTP events.
Sample Events
date=2020-06-26 time=15:01:27 logid="1400041224" type="gtp" subtype="gtp-all" level="information" vd="vdom1" eventtime=1593208887251968776 tz="-0700" profile="gtpp" status="prohibited" version=2 msg-type=32 from6=2001:172:16:200::6 to6=2001:172:16:200::34 deny_cause="sgsn-not-authorized" ietype=75 dtlexp="none" srcport=34612 dstport=2123 seqnum=1 tunnel-idx=0 imsi="021310123200000" msisdn="12345678900001" apn="apn2.com" selection="apns-vrf" imei-sv="unknown" rat-type="eutran" end-usr-address=11.0.1.50 headerteid=0 snetwork="222.333" cpaddr6=2001:10:1:100::33 cpteid=886008 uli="011000:222.333.1" ulimcc=222 ulimnc=333
date=2020-06-26 time=15:04:23 logid="1400041223" type="gtp" subtype="gtp-all" level="information" vd="vdom1" eventtime=1593209063197162647 tz="-0700" profile="gtpp" status="forwarded" version=2 msg-type=32 from6=2001:172:16:200::6 to6=2001:172:16:200::34 srcport=65372 dstport=2123 seqnum=1 tunnel-idx=4 imsi="021310123200000" msisdn="12345678900001" apn="apn2.com" selection="apns-vrf" imei-sv="unknown" rat-type="eutran" end-usr-address=11.0.1.50 headerteid=0 snetwork="222.333" cpaddr6=2001:10:1:100::33 cpteid=886008 uli="011000:222.333.1" ulimcc=222 ulimnc=333
date=2020-06-26 time=15:08:03 logid="1400041228" type="gtp" subtype="gtp-all" level="information" vd="vdom1" eventtime=1593209283529236672 tz="-0700" profile="gtpp" status="traffic-count" version=2 cpdladdr6=2001:10:1:100::33 cpdlteid=886008 cpdlisrteid=0 cpulteid=0 tunnel-idx=4 duration=220 c-pkts=1 c-bytes=262 u-pkts=0 u-bytes=0 imsi="021310123200000" msisdn="12345678900001" apn="apn2.com" selection="apns-vrf" imei-sv="unknown" rat-type="eutran" end-usr-address=11.0.1.50 snetwork="222.333" uli="011000:222.333.1" ulimcc=222 ulimnc=333
Fields
Field | Description |
|---|---|
DATE | Event date, in the format YYYY-MM-DD |
TIME | Event time, in the format HH:MM:SS |
SYSTEM | The source system |
TABLE | FortiGateGTP |
CRITICALITY |
|
LOGID | Unique 10-digit identifier (log type, subtype/event type and message ID) for that specific log and includes information about the log entry |
TYPE | Represented by the first two digits of the log ID |
SUBTYPE | Represented by the first/second two digits of the log ID |
EVENTTYPE | Represented by the second two digits of the log ID |
DEVNAME |
|
DEVID | Serial number of the device for the traffic's origin |
LEVEL | Security level rating |
VD | Name of the virtual domain in which the log message was recorded |
EVENTTIME | Epoch time the log was triggered by FortiGate |
TZ |
|
PROFILE | Profile name |
STATUS | Status |
VERSION | Version |
MSG-TYPE | Message type |
FROM | From |
FROM6 |
|
TO | To |
TO6 |
|
DENY_CAUSE | Deny cause |
IETYPE | Malformed GTP IE number |
DTLEXP | Detailed explanation |
CPDLADDR6 |
|
CPDLTEID | Control Plane downlink tunnel endpoint identifier |
CPDLISRTEID | Control Plane ISR downlink tunnel endpoint identifier |
CPULTEID | Control Plane uplink TEID |
SRCPORT | Source port |
DSTPORT | Destination port |
SEQNUM | GTP packet sequence number |
TUNNEL-IDX | Tunnel serial number, internally assigned |
DURATION | Tunnel duration |
C-PKTS | Control Plane packets |
C-BYTES | Control Plane data bytes |
U-PKTS | User Plane packets |
U-BYTES | User Plane data bytes |
IMSI | International mobile subscriber ID |
MSISDN | Mobile Subscriber Integrated Services Digital Network-Number (telephone # to a SIM card) |
APN | Access Point Name |
SELECTION | APN selection, which is one IE in GTP packet |
IMEI-SV |
|
RAT-TYPE | Radio Access Technology type |
END-USR-ADDRESS | End user IP address |
HEADERTEID | Tunnel endpoint ID header |
SNETWORK | Source network, it's a IE type in GTPv2 packet |
CPADDR6 |
|
CPTEID | Control Plane TEID (either downlink or uplink) |
ULI |
|
ULIMCC |
|
ULIMNC |
|
SNAREDATAMAP | All other data in the event will be pushed to this field |
Notes
Log Message Reference Documentation: https://docs.fortinet.com/document/fortigate/6.4.2/fortios-log-message-reference