fortios_voip_profile – Configure VoIP profiles in Fortinet’s FortiOS and FortiGate

New in version 2.8.

Synopsis

  • This module is able to configure a FortiGate or FortiOS by allowing the user to set and modify voip feature and profile category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.2

Requirements

The below requirements are needed on the host that executes this module.

  • fortiosapi>=0.9.8

Parameters

Parameter Choices/Defaults Comments
host
- / required
FortiOS or FortiGate ip address.
https
boolean
    Choices:
  • no
  • yes ←
Indicates if the requests towards FortiGate must use HTTPS protocol
password
-
Default:
""
FortiOS or FortiGate password.
username
- / required
FortiOS or FortiGate username.
vdom
-
Default:
"root"
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.
voip_profile
-
Default:
null
Configure VoIP profiles.
comment
-
Comment.
name
- / required
Profile name.
sccp
-
SCCP.
block-mcast
-
    Choices:
  • disable
  • enable
Enable/disable block multicast RTP connections.
log-call-summary
-
    Choices:
  • disable
  • enable
Enable/disable log summary of SCCP calls.
log-violations
-
    Choices:
  • disable
  • enable
Enable/disable logging of SCCP violations.
max-calls
-
Maximum calls per minute per SCCP client (max 65535).
status
-
    Choices:
  • disable
  • enable
Enable/disable SCCP.
verify-header
-
    Choices:
  • disable
  • enable
Enable/disable verify SCCP header content.
sip
-
SIP.
ack-rate
-
ACK request rate limit (per second, per policy).
block-ack
-
    Choices:
  • disable
  • enable
Enable/disable block ACK requests.
block-bye
-
    Choices:
  • disable
  • enable
Enable/disable block BYE requests.
block-cancel
-
    Choices:
  • disable
  • enable
Enable/disable block CANCEL requests.
block-geo-red-options
-
    Choices:
  • disable
  • enable
Enable/disable block OPTIONS requests, but OPTIONS requests still notify for redundancy.
block-info
-
    Choices:
  • disable
  • enable
Enable/disable block INFO requests.
block-invite
-
    Choices:
  • disable
  • enable
Enable/disable block INVITE requests.
block-long-lines
-
    Choices:
  • disable
  • enable
Enable/disable block requests with headers exceeding max-line-length.
block-message
-
    Choices:
  • disable
  • enable
Enable/disable block MESSAGE requests.
block-notify
-
    Choices:
  • disable
  • enable
Enable/disable block NOTIFY requests.
block-options
-
    Choices:
  • disable
  • enable
Enable/disable block OPTIONS requests and no OPTIONS as notifying message for redundancy either.
block-prack
-
    Choices:
  • disable
  • enable
Enable/disable block prack requests.
block-publish
-
    Choices:
  • disable
  • enable
Enable/disable block PUBLISH requests.
block-refer
-
    Choices:
  • disable
  • enable
Enable/disable block REFER requests.
block-register
-
    Choices:
  • disable
  • enable
Enable/disable block REGISTER requests.
block-subscribe
-
    Choices:
  • disable
  • enable
Enable/disable block SUBSCRIBE requests.
block-unknown
-
    Choices:
  • disable
  • enable
Block unrecognized SIP requests (enabled by default).
block-update
-
    Choices:
  • disable
  • enable
Enable/disable block UPDATE requests.
bye-rate
-
BYE request rate limit (per second, per policy).
call-keepalive
-
Continue tracking calls with no RTP for this many minutes.
cancel-rate
-
CANCEL request rate limit (per second, per policy).
contact-fixup
-
    Choices:
  • disable
  • enable
Fixup contact anyway even if contact's IP:port doesn't match session's IP:port.
hnt-restrict-source-ip
-
    Choices:
  • disable
  • enable
Enable/disable restrict RTP source IP to be the same as SIP source IP when HNT is enabled.
hosted-nat-traversal
-
    Choices:
  • disable
  • enable
Hosted NAT Traversal (HNT).
info-rate
-
INFO request rate limit (per second, per policy).
invite-rate
-
INVITE request rate limit (per second, per policy).
ips-rtp
-
    Choices:
  • disable
  • enable
Enable/disable allow IPS on RTP.
log-call-summary
-
    Choices:
  • disable
  • enable
Enable/disable logging of SIP call summary.
log-violations
-
    Choices:
  • disable
  • enable
Enable/disable logging of SIP violations.
malformed-header-allow
-
    Choices:
  • discard
  • pass
  • respond
Action for malformed Allow header.
malformed-header-call-id
-
    Choices:
  • discard
  • pass
  • respond
Action for malformed Call-ID header.
malformed-header-contact
-
    Choices:
  • discard
  • pass
  • respond
Action for malformed Contact header.
malformed-header-content-length
-
    Choices:
  • discard
  • pass
  • respond
Action for malformed Content-Length header.
malformed-header-content-type
-
    Choices:
  • discard
  • pass
  • respond
Action for malformed Content-Type header.
malformed-header-cseq
-
    Choices:
  • discard
  • pass
  • respond
Action for malformed CSeq header.
malformed-header-expires
-
    Choices:
  • discard
  • pass
  • respond
Action for malformed Expires header.
malformed-header-from
-
    Choices:
  • discard
  • pass
  • respond
Action for malformed From header.
malformed-header-max-forwards
-
    Choices:
  • discard
  • pass
  • respond
Action for malformed Max-Forwards header.
malformed-header-p-asserted-identity
-
    Choices:
  • discard
  • pass
  • respond
Action for malformed P-Asserted-Identity header.
malformed-header-rack
-
    Choices:
  • discard
  • pass
  • respond
Action for malformed RAck header.
malformed-header-record-route
-
    Choices:
  • discard
  • pass
  • respond
Action for malformed Record-Route header.
malformed-header-route
-
    Choices:
  • discard
  • pass
  • respond
Action for malformed Route header.
malformed-header-rseq
-
    Choices:
  • discard
  • pass
  • respond
Action for malformed RSeq header.
malformed-header-sdp-a
-
    Choices:
  • discard
  • pass
  • respond
Action for malformed SDP a line.
malformed-header-sdp-b
-
    Choices:
  • discard
  • pass
  • respond
Action for malformed SDP b line.
malformed-header-sdp-c
-
    Choices:
  • discard
  • pass
  • respond
Action for malformed SDP c line.
malformed-header-sdp-i
-
    Choices:
  • discard
  • pass
  • respond
Action for malformed SDP i line.
malformed-header-sdp-k
-
    Choices:
  • discard
  • pass
  • respond
Action for malformed SDP k line.
malformed-header-sdp-m
-
    Choices:
  • discard
  • pass
  • respond
Action for malformed SDP m line.
malformed-header-sdp-o
-
    Choices:
  • discard
  • pass
  • respond
Action for malformed SDP o line.
malformed-header-sdp-r
-
    Choices:
  • discard
  • pass
  • respond
Action for malformed SDP r line.
malformed-header-sdp-s
-
    Choices:
  • discard
  • pass
  • respond
Action for malformed SDP s line.
malformed-header-sdp-t
-
    Choices:
  • discard
  • pass
  • respond
Action for malformed SDP t line.
malformed-header-sdp-v
-
    Choices:
  • discard
  • pass
  • respond
Action for malformed SDP v line.
malformed-header-sdp-z
-
    Choices:
  • discard
  • pass
  • respond
Action for malformed SDP z line.
malformed-header-to
-
    Choices:
  • discard
  • pass
  • respond
Action for malformed To header.
malformed-header-via
-
    Choices:
  • discard
  • pass
  • respond
Action for malformed VIA header.
malformed-request-line
-
    Choices:
  • discard
  • pass
  • respond
Action for malformed request line.
max-body-length
-
Maximum SIP message body length (0 meaning no limit).
max-dialogs
-
Maximum number of concurrent calls/dialogs (per policy).
max-idle-dialogs
-
Maximum number established but idle dialogs to retain (per policy).
max-line-length
-
Maximum SIP header line length (78-4096).
message-rate
-
MESSAGE request rate limit (per second, per policy).
nat-trace
-
    Choices:
  • disable
  • enable
Enable/disable preservation of original IP in SDP i line.
no-sdp-fixup
-
    Choices:
  • disable
  • enable
Enable/disable no SDP fix-up.
notify-rate
-
NOTIFY request rate limit (per second, per policy).
open-contact-pinhole
-
    Choices:
  • disable
  • enable
Enable/disable open pinhole for non-REGISTER Contact port.
open-record-route-pinhole
-
    Choices:
  • disable
  • enable
Enable/disable open pinhole for Record-Route port.
open-register-pinhole
-
    Choices:
  • disable
  • enable
Enable/disable open pinhole for REGISTER Contact port.
open-via-pinhole
-
    Choices:
  • disable
  • enable
Enable/disable open pinhole for Via port.
options-rate
-
OPTIONS request rate limit (per second, per policy).
prack-rate
-
PRACK request rate limit (per second, per policy).
preserve-override
-
    Choices:
  • disable
  • enable
Override i line to preserve original IPS (default: append).
provisional-invite-expiry-time
-
Expiry time for provisional INVITE (10 - 3600 sec).
publish-rate
-
PUBLISH request rate limit (per second, per policy).
refer-rate
-
REFER request rate limit (per second, per policy).
register-contact-trace
-
    Choices:
  • disable
  • enable
Enable/disable trace original IP/port within the contact header of REGISTER requests.
register-rate
-
REGISTER request rate limit (per second, per policy).
rfc2543-branch
-
    Choices:
  • disable
  • enable
Enable/disable support via branch compliant with RFC 2543.
rtp
-
    Choices:
  • disable
  • enable
Enable/disable create pinholes for RTP traffic to traverse firewall.
ssl-algorithm
-
    Choices:
  • high
  • medium
  • low
Relative strength of encryption algorithms accepted in negotiation.
ssl-auth-client
-
Require a client certificate and authenticate it with the peer/peergrp. Source user.peer.name user.peergrp.name.
ssl-auth-server
-
Authenticate the server's certificate with the peer/peergrp. Source user.peer.name user.peergrp.name.
ssl-client-certificate
-
Name of Certificate to offer to server if requested. Source vpn.certificate.local.name.
ssl-client-renegotiation
-
    Choices:
  • allow
  • deny
  • secure
Allow/block client renegotiation by server.
ssl-max-version
-
    Choices:
  • ssl-3.0
  • tls-1.0
  • tls-1.1
  • tls-1.2
Highest SSL/TLS version to negotiate.
ssl-min-version
-
    Choices:
  • ssl-3.0
  • tls-1.0
  • tls-1.1
  • tls-1.2
Lowest SSL/TLS version to negotiate.
ssl-mode
-
    Choices:
  • no
  • full
SSL/TLS mode for encryption & decryption of traffic.
ssl-pfs
-
    Choices:
  • require
  • deny
  • allow
SSL Perfect Forward Secrecy.
ssl-send-empty-frags
-
    Choices:
  • enable
  • disable
Send empty fragments to avoid attack on CBC IV (SSL 3.0 & TLS 1.0 only).
ssl-server-certificate
-
Name of Certificate return to the client in every SSL connection. Source vpn.certificate.local.name.
status
-
    Choices:
  • disable
  • enable
Enable/disable SIP.
strict-register
-
    Choices:
  • disable
  • enable
Enable/disable only allow the registrar to connect.
subscribe-rate
-
SUBSCRIBE request rate limit (per second, per policy).
unknown-header
-
    Choices:
  • discard
  • pass
  • respond
Action for unknown SIP header.
update-rate
-
UPDATE request rate limit (per second, per policy).
state
-
    Choices:
  • present
  • absent
Indicates whether to create or remove the object

Notes

Note

  • Requires fortiosapi library developed by Fortinet

  • Run as a local_action in your playbook

Examples

- hosts: localhost
  vars:
   host: "192.168.122.40"
   username: "admin"
   password: ""
   vdom: "root"
  tasks:
  - name: Configure VoIP profiles.
    fortios_voip_profile:
      host:  "{{ host }}"
      username: "{{ username }}"
      password: "{{ password }}"
      vdom:  "{{ vdom }}"
      https: "False"
      voip_profile:
        state: "present"
        comment: "Comment."
        name: "default_name_4"
        sccp:
            block-mcast: "disable"
            log-call-summary: "disable"
            log-violations: "disable"
            max-calls: "9"
            status: "disable"
            verify-header: "disable"
        sip:
            ack-rate: "13"
            block-ack: "disable"
            block-bye: "disable"
            block-cancel: "disable"
            block-geo-red-options: "disable"
            block-info: "disable"
            block-invite: "disable"
            block-long-lines: "disable"
            block-message: "disable"
            block-notify: "disable"
            block-options: "disable"
            block-prack: "disable"
            block-publish: "disable"
            block-refer: "disable"
            block-register: "disable"
            block-subscribe: "disable"
            block-unknown: "disable"
            block-update: "disable"
            bye-rate: "31"
            call-keepalive: "32"
            cancel-rate: "33"
            contact-fixup: "disable"
            hnt-restrict-source-ip: "disable"
            hosted-nat-traversal: "disable"
            info-rate: "37"
            invite-rate: "38"
            ips-rtp: "disable"
            log-call-summary: "disable"
            log-violations: "disable"
            malformed-header-allow: "discard"
            malformed-header-call-id: "discard"
            malformed-header-contact: "discard"
            malformed-header-content-length: "discard"
            malformed-header-content-type: "discard"
            malformed-header-cseq: "discard"
            malformed-header-expires: "discard"
            malformed-header-from: "discard"
            malformed-header-max-forwards: "discard"
            malformed-header-p-asserted-identity: "discard"
            malformed-header-rack: "discard"
            malformed-header-record-route: "discard"
            malformed-header-route: "discard"
            malformed-header-rseq: "discard"
            malformed-header-sdp-a: "discard"
            malformed-header-sdp-b: "discard"
            malformed-header-sdp-c: "discard"
            malformed-header-sdp-i: "discard"
            malformed-header-sdp-k: "discard"
            malformed-header-sdp-m: "discard"
            malformed-header-sdp-o: "discard"
            malformed-header-sdp-r: "discard"
            malformed-header-sdp-s: "discard"
            malformed-header-sdp-t: "discard"
            malformed-header-sdp-v: "discard"
            malformed-header-sdp-z: "discard"
            malformed-header-to: "discard"
            malformed-header-via: "discard"
            malformed-request-line: "discard"
            max-body-length: "71"
            max-dialogs: "72"
            max-idle-dialogs: "73"
            max-line-length: "74"
            message-rate: "75"
            nat-trace: "disable"
            no-sdp-fixup: "disable"
            notify-rate: "78"
            open-contact-pinhole: "disable"
            open-record-route-pinhole: "disable"
            open-register-pinhole: "disable"
            open-via-pinhole: "disable"
            options-rate: "83"
            prack-rate: "84"
            preserve-override: "disable"
            provisional-invite-expiry-time: "86"
            publish-rate: "87"
            refer-rate: "88"
            register-contact-trace: "disable"
            register-rate: "90"
            rfc2543-branch: "disable"
            rtp: "disable"
            ssl-algorithm: "high"
            ssl-auth-client: "<your_own_value> (source user.peer.name user.peergrp.name)"
            ssl-auth-server: "<your_own_value> (source user.peer.name user.peergrp.name)"
            ssl-client-certificate: "<your_own_value> (source vpn.certificate.local.name)"
            ssl-client-renegotiation: "allow"
            ssl-max-version: "ssl-3.0"
            ssl-min-version: "ssl-3.0"
            ssl-mode: "off"
            ssl-pfs: "require"
            ssl-send-empty-frags: "enable"
            ssl-server-certificate: "<your_own_value> (source vpn.certificate.local.name)"
            status: "disable"
            strict-register: "disable"
            subscribe-rate: "106"
            unknown-header: "discard"
            update-rate: "108"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
build
string
always
Build number of the fortigate image

Sample:
1547
http_method
string
always
Last method used to provision the content into FortiGate

Sample:
PUT
http_status
string
always
Last result given by FortiGate on last operation applied

Sample:
200
mkey
string
success
Master key (id) used in the last call to FortiGate

Sample:
id
name
string
always
Name of the table used to fulfill the request

Sample:
urlfilter
path
string
always
Path of the table used to fulfill the request

Sample:
webfilter
revision
string
always
Internal revision number

Sample:
17.0.2.10658
serial
string
always
Serial number of the unit

Sample:
FGVMEVYYQT3AB5352
status
string
always
Indication of the operation's result

Sample:
success
vdom
string
always
Virtual domain used

Sample:
root
version
string
always
Version of the FortiGate

Sample:
v5.6.3


Status

Authors

  • Miguel Angel Munoz (@mamunozgonzalez)

  • Nicolas Thomas (@thomnico)

Hint

If you notice any issues in this documentation you can edit this document to improve it.