Home

FortiOS-Carrier: The Specialized Security Operating System Powering Modern Mobile Networks

.

In an era where mobile network security is paramount, Fortinet offers a robust solution tailored specifically for telecommunications carriers and Mobile Virtual Network Operators (MVNOs). FortiOS-Carrier is not a standalone product but an extended operating system license that unlocks specialized security capabilities within FortiGate next-generation firewalls. Designed for mobile infrastructures like Evolved Packet Cores (EPC) and 5G cores, it provides high-performance, scalable security without sacrificing the rich feature set of the standard FortiOS. This specialized license transforms standard FortiGate appliances into powerful GTP (GPRS Tunneling Protocol) and PFCP (Packet Forwarding Control Protocol) firewalls, securing the critical interfaces of 2G through 5G networks against a complex landscape of mobile-specific threats.

Core Capabilities and Deployment

1. GTP and PFCP Firewall Protection

The cornerstone of FortiOS-Carrier is its deep inspection of mobile network protocols. It acts as a stateful inspection firewall for the control and user planes of mobile networks.

  • GTP Firewall: It provides comprehensive security for the GPRS Tunneling Protocol across all generations—GTPv0, GTPv1, and GTPv2. This includes packet sanity checking, protocol anomaly detection, and protection against malformed packets and denial-of-service attacks. The firewall can be deployed on key 3GPP interfaces such as N3, N9, S1-U, S5/S8, and Gn/Gp.
  • PFCP Firewall: To secure modern architectures that use Control and User Plane Separation (CUPS), FortiOS-Carrier inspects PFCP traffic. This protocol is vital in 4G and 5G networks for session management between control plane functions (like SMF) and user plane functions (like UPF). Protection is applied on interfaces like N4, Sxa, and Sxb.

2. Granular Traffic Filtering and Policy Control

Beyond basic firewalling, FortiOS-Carrier enables extremely granular control over mobile traffic:

  • Identity-Based Filtering: Create policies based on subscriber and network identifiers, including IMSI (International Mobile Subscriber Identity), MSISDN (phone number), IMEI (device ID), and APN (Access Point Name).
  • Message Filtering and Rate Limiting: Precisely allow or deny specific GTP message types and control the rate of messages to protect network elements from floods.
  • Advanced Threat Prevention: It extends FortiOS's UTM (Unified Threat Management) capabilities into GTP tunnels, allowing for antivirus scanning, intrusion prevention (IPS), and data leakage prevention (DLP) on the encapsulated user data traffic (GTP-U).

3. Operational Efficiency and Simplified Management

The system is designed for carrier-scale operations, offering features that lower costs and complexity.

  • Dynamic Context Security Policy: Security profiles can be dynamically assigned using information from RADIUS records, tying policies directly to subscriber sessions for real-time, contextual enforcement.
  • Unified Management: Devices running FortiOS-Carrier can be managed alongside standard FortiGate units within the same FortiManager and FortiAnalyzer ecosystems, providing a single pane of glass for network-wide security management.
  • Automation Ready: With support for the FortiOS REST API and dedicated Ansible modules (like fortios_firewall_carrier_endpoint_bwl), configurations such as carrier endpoint blacklists/whitelists can be fully automated, enabling DevOps and NetSecOps integration.

4. Complementary Security Integration

FortiOS-Carrier is designed to be part of a broader security fabric. It can integrate with FortiSandbox Cloud for advanced malware detection. Suspicious files traversing the mobile network can be submitted for dynamic analysis in the cloud, with actionable threat intelligence fed back to the FortiGate to block zero-day attacks across the infrastructure.

Technical Specifications and Evolution

  • Licensing and Compatibility: The FortiOS-Carrier upgrade license (SKU: FCR-EUPG) is available for supported high-end FortiGate appliance models (2600F series and above, 3000/4000/5000/7000 series) and specific virtual machine series (VM08, VM16, VM32, VMUL). It is activated via a CLI command, after which the device restarts with a Carrier-specific factory default configuration.
  • Feature Evolution: Recent versions like FortiOS Carrier 7.2.x have expanded support to new hardware platforms (e.g., NP7-based FortiGate-3500F/4400F series) and continuously enhanced filtering, adding support for filtering all GTPv0/v1 and GTPv2 message types as defined by 3GPP standards. Earlier versions (like 6.2.x) also included dedicated MMS (Multimedia Messaging Service) protection for filtering and scanning MM1, MM3, MM4, and MM7 message interfaces.
  • High Availability: The system supports GTP tunnel synchronization across FortiGate Clustering Protocol (FGCP) and FortiGate Session Life Support Protocol (FGSP) clusters, ensuring subscriber session state is maintained during failover events—a critical requirement for carrier uptime.

Frequently Asked Questions (FAQ)

What exactly is FortiOS-Carrier? It is a specialized license upgrade for select FortiGate appliances that enables carrier-grade security features, primarily deep inspection and firewalling of mobile network protocols (GTP, PFCP) and SCTP, along with granular subscriber-aware policy controls.

Which mobile networks does it protect? It is designed to secure 2G, 3G, 4G/LTE, and 5G network infrastructures. It supports the key protocols (GTPv0, v1, v2, PFCP) used across these generations.

How is it different from a standard FortiGate license? A standard FortiGate license provides general enterprise network security (firewalling, VPN, UTM). The Carrier license adds the ability to understand, inspect, and apply stateful security policies to the specialized protocols that form the backbone of mobile carrier networks, which a standard firewall would treat as generic IP traffic.

Can it inspect the actual content users access over mobile data? Yes. Through its GTP-U payload scanning feature, it can decapsulate user traffic from GTP tunnels and apply FortiOS's full suite of UTM features—including antivirus, web filtering, IPS, and DLP—to the internal IP packets.

How does it support network automation? FortiOS-Carrier configurations can be automated via its comprehensive REST API and supported Ansible collection modules. This allows for the programmatic management of security policies, carrier endpoint lists, and GTP profiles, fitting into modern Infrastructure-as-Code (IaC) practices.

Is high availability supported for mobile sessions? Yes. It features GTP tunnel synchronization between devices in a high-availability cluster. This ensures that if one firewall fails, the backup unit already has the state information for active mobile data sessions, preventing service interruption for subscribers.

What is the relationship with FortiSandbox? FortiOS-Carrier can integrate with FortiSandbox Cloud for advanced threat protection. Files or artifacts deemed suspicious can be forwarded to the sandbox for dynamic behavioral analysis. If determined to be malicious, a signature can be generated and pushed back to the firewall to block that threat across the entire network.

FortiOS-Carrier represents a critical specialization in network security, bridging the gap between generic enterprise protection and the unique, high-scale demands of mobile carrier infrastructure. By providing visibility and control at the mobile protocol layer, it enables carriers to build secure, efficient, and resilient networks capable of supporting current and future generations of mobile services.