Home

FortiOS-Carrier Upgrade License: The Essential Security Layer for Modern Mobile Networks

.

In the rapidly evolving landscape of mobile communications, where 5G and IoT are expanding network surfaces and vulnerabilities, protecting the core network infrastructure is paramount. Mobile carriers, Mobile Virtual Network Operators (MVNOs), and large-scale service providers face unique security challenges inherent to protocols like GPRS Tunneling Protocol (GTP) and Packet Forwarding Control Protocol (PFCP). Fortinet's FortiOS-Carrier Upgrade License is a specialized software license that transforms standard FortiGate next-generation firewalls into powerful, carrier-grade security gateways. Designed specifically for the scale and complexity of mobile core networks, this license extends the rich security features of standard FortiOS to provide high-performance traffic inspection and protocol-specific security at a massive scale, safeguarding 5G, 4G, and IoT infrastructures from sophisticated attacks.

Core Capabilities and Key Technologies

The FortiOS-Carrier license equips service providers with critical functionalities to secure their most vital assets.

1. Advanced GTP Firewall: The GPRS Tunneling Protocol is fundamental to mobile data but is a known attack vector. The integrated GTP Firewall provides comprehensive security across 2G, 3G, 4G, and 5G networks.

  • Protocol Anomaly Detection: Blocks malformed packets, out-of-state messages, and denial-of-service attacks targeting GTP layers.
  • Granular Filtering: Controls traffic based on IMSI prefixes, APN names, MCC/MNC codes, RAT type, and IMEI/MSISDN numbers.
  • Stateful Inspection & Payload Scanning: Performs deep packet inspection within GTP-U tunnels, applying antivirus, data leakage prevention (DLP), and web filtering to subscriber data traffic.
  • Anti-Overbilling Protection: Works in conjunction with Gi/SGi firewall policies to prevent fraud by correlating GTP tunnel records with actual data usage.

2. PFCP Firewall for 5G CUPS: Modern 5G and advanced 4G networks use Control and User Plane Separation (CUPS) architecture, managed by the PFCP protocol. FortiOS-Carrier provides essential security for this interface.

  • PFCP Message Inspection: Filters, tracks, and performs anomaly detection on PFCP sessions between control plane and user plane functions (e.g., SMF and UPF).
  • N4 Interface Security: Specifically secures the critical N4 interface in 5G core networks, protecting the communication that dictates how user data is forwarded.

3. High-Scale Performance & Simplified Operations: The solution is built for carrier demands.

  • Massive Scalability: Capable of supporting hundreds of thousands of concurrent subscribers and scaling to meet the requirements of massive signaling surges.
  • Unified Management: Fully supported by FortiManager for centralized device management and FortiAnalyzer for logging and analysis, allowing mixed estates of Carrier and standard FortiOS devices to be managed from a single pane of glass.
  • Operational Efficiency: Features like dynamic context security policy, derived from RADIUS records, automate policy assignment based on subscriber identity, lowering operational costs.

Deployment Models and Supported Platforms

FortiOS-Carrier is designed for flexible integration into mobile core networks, primarily in two key architectures:

  • Gi/SGi Firewall: Deployed at the border between the mobile core (PGW/UPF) and the public internet, securing subscriber data traffic and providing value-added services.
  • RAN Security Gateway: Placed between the Radio Access Network (RAN) and the core (e.g., on N3, S1-U interfaces), it aggregates and secures GTP, SCTP, and IPsec traffic from base stations.

Licensing and Compatibility: To run FortiOS-Carrier, a dedicated license key (FCR-EUPG) must be purchased from Fortinet or authorized partners. Once obtained, the license is applied via the FortiOS CLI command execute forticarrier-license <license-key>, which reboots the device into the FortiOS-Carrier factory default configuration.

  • Supported Platforms: The license is validated for specific high-end FortiGate models and virtual machines, including the FortiGate 2600F, 3000, 4000, 5000, and 7000 series, as well as VM08/VM16/VM32/VMUL virtual machine series.
  • Important Exclusion: According to Fortinet documentation, FortiOS-Carrier is not supported for the VM S-Series. Separate "FortiCarrier Upgrade Subscription" SKUs (e.g., FC-10-FGVVS-948-02-36) exist specifically for the VM S-Series, indicating a different licensing path for that platform.

Pricing for the perpetual upgrade license (FCR-EUPG) from various distributors is listed between approximately $7,800 and $9,000, often representing a significant discount from a manufacturer's list price.

The Strategic Imperative for Service Providers

For service providers, the FortiOS-Carrier upgrade is more than a security product; it's a strategic enabler. It protects revenue by preventing GTP-based fraud and overbilling, ensures service continuity by blocking network-centric attacks, and helps meet regulatory and data privacy requirements through deep inspection and logging. As networks evolve toward 5G Standalone (SA) and further adopt CUPS architecture, the PFCP firewall capability becomes non-negotiable for core security.

By consolidating advanced GTP inspection, PFCP security, and standard NGFW/UTM features into a single appliance, FortiOS-Carrier reduces complexity and total cost of ownership. It allows carriers to defend the infrastructure that powers the connected world, turning network security from a challenge into a competitive advantage.

Frequently Asked Questions (FAQ)

Q1: What is the main difference between standard FortiOS and FortiOS-Carrier? A1: Standard FortiOS provides universal next-generation firewall (NGFW) capabilities. FortiOS-Carrier includes all those features and adds specialized, high-scale security functions for mobile core networks, specifically an integrated GTP firewall, a PFCP firewall for 5G CUPS architecture, and enhanced SCTP filtering. It's designed for the protocols and scale required by mobile carriers.

Q2: My company uses FortiGate VM S-Series. Can I use the FCR-EUPG license? A2: No. Fortinet's official documentation explicitly states that the FortiOS-Carrier license (SKU FCR-EUPG) is not supported for the VM S-Series. You must purchase the specific "FortiCarrier Upgrade Subscription" licenses designed for the VM S-Series platform (e.g., SKU FC-10-FGVVS-948-02-36 for a 3-year term).

Q3: Where exactly should I deploy a FortiGate with the Carrier license in my mobile network? A3: The two most common deployment points are:

  1. As a Gi/SGi Firewall: Positioned between the Packet Data Network Gateway (PGW/UPF) and the internet to protect and shape subscriber data traffic.
  2. As a RAN Security Gateway: Positioned between the Radio Access Network (e.g., eNodeBs/gNodeBs) and the core network to secure the GTP and SCTP traffic on interfaces like N3 and S1-U.

Q4: Does the license need to be reapplied after a FortiOS firmware upgrade? A4: No. According to Fortinet's licensing guide, once the FortiOS-Carrier license is applied, you do not need to re-license the device after installing new FortiOS firmware versions. The Carrier functionality persists through upgrades.

Q5: What kind of attacks does the GTP firewall specifically protect against? A5: It protects against a wide range of GTP-specific exploits, including GTP protocol anomaly attacks (malformed packets, buffer overflows), GTP denial-of-service attacks (tunnel flooding, path management floods), fraud attempts like GTP overbilling, and session hijacking. It also scans the user-plane payload within GTP-U tunnels for malware, data exfiltration, and other threats.