fortios_voip_profile – Configure VoIP profiles in Fortinet’s FortiOS and FortiGate¶
New in version 2.8.
Synopsis¶
This module is able to configure a FortiGate or FortiOS by allowing the user to set and modify voip feature and profile category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.2
Requirements¶
The below requirements are needed on the host that executes this module.
fortiosapi>=0.9.8
Parameters¶
| Parameter | Choices/Defaults | Comments | ||
|---|---|---|---|---|
|
host
-
/ required
|
FortiOS or FortiGate ip address.
|
|||
|
https
boolean
|
|
Indicates if the requests towards FortiGate must use HTTPS protocol
|
||
|
password
-
|
Default: ""
|
FortiOS or FortiGate password.
|
||
|
username
-
/ required
|
FortiOS or FortiGate username.
|
|||
|
vdom
-
|
Default: "root"
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.
|
||
|
voip_profile
-
|
Default: null
|
Configure VoIP profiles.
|
||
|
comment
-
|
Comment.
|
|||
|
name
-
/ required
|
Profile name.
|
|||
|
sccp
-
|
SCCP.
|
|||
|
block-mcast
-
|
|
Enable/disable block multicast RTP connections.
|
||
|
log-call-summary
-
|
|
Enable/disable log summary of SCCP calls.
|
||
|
log-violations
-
|
|
Enable/disable logging of SCCP violations.
|
||
|
max-calls
-
|
Maximum calls per minute per SCCP client (max 65535).
|
|||
|
status
-
|
|
Enable/disable SCCP.
|
||
|
verify-header
-
|
|
Enable/disable verify SCCP header content.
|
||
|
sip
-
|
SIP.
|
|||
|
ack-rate
-
|
ACK request rate limit (per second, per policy).
|
|||
|
block-ack
-
|
|
Enable/disable block ACK requests.
|
||
|
block-bye
-
|
|
Enable/disable block BYE requests.
|
||
|
block-cancel
-
|
|
Enable/disable block CANCEL requests.
|
||
|
block-geo-red-options
-
|
|
Enable/disable block OPTIONS requests, but OPTIONS requests still notify for redundancy.
|
||
|
block-info
-
|
|
Enable/disable block INFO requests.
|
||
|
block-invite
-
|
|
Enable/disable block INVITE requests.
|
||
|
block-long-lines
-
|
|
Enable/disable block requests with headers exceeding max-line-length.
|
||
|
block-message
-
|
|
Enable/disable block MESSAGE requests.
|
||
|
block-notify
-
|
|
Enable/disable block NOTIFY requests.
|
||
|
block-options
-
|
|
Enable/disable block OPTIONS requests and no OPTIONS as notifying message for redundancy either.
|
||
|
block-prack
-
|
|
Enable/disable block prack requests.
|
||
|
block-publish
-
|
|
Enable/disable block PUBLISH requests.
|
||
|
block-refer
-
|
|
Enable/disable block REFER requests.
|
||
|
block-register
-
|
|
Enable/disable block REGISTER requests.
|
||
|
block-subscribe
-
|
|
Enable/disable block SUBSCRIBE requests.
|
||
|
block-unknown
-
|
|
Block unrecognized SIP requests (enabled by default).
|
||
|
block-update
-
|
|
Enable/disable block UPDATE requests.
|
||
|
bye-rate
-
|
BYE request rate limit (per second, per policy).
|
|||
|
call-keepalive
-
|
Continue tracking calls with no RTP for this many minutes.
|
|||
|
cancel-rate
-
|
CANCEL request rate limit (per second, per policy).
|
|||
|
contact-fixup
-
|
|
Fixup contact anyway even if contact's IP:port doesn't match session's IP:port.
|
||
|
hnt-restrict-source-ip
-
|
|
Enable/disable restrict RTP source IP to be the same as SIP source IP when HNT is enabled.
|
||
|
hosted-nat-traversal
-
|
|
Hosted NAT Traversal (HNT).
|
||
|
info-rate
-
|
INFO request rate limit (per second, per policy).
|
|||
|
invite-rate
-
|
INVITE request rate limit (per second, per policy).
|
|||
|
ips-rtp
-
|
|
Enable/disable allow IPS on RTP.
|
||
|
log-call-summary
-
|
|
Enable/disable logging of SIP call summary.
|
||
|
log-violations
-
|
|
Enable/disable logging of SIP violations.
|
||
|
malformed-header-allow
-
|
|
Action for malformed Allow header.
|
||
|
malformed-header-call-id
-
|
|
Action for malformed Call-ID header.
|
||
|
malformed-header-contact
-
|
|
Action for malformed Contact header.
|
||
|
malformed-header-content-length
-
|
|
Action for malformed Content-Length header.
|
||
|
malformed-header-content-type
-
|
|
Action for malformed Content-Type header.
|
||
|
malformed-header-cseq
-
|
|
Action for malformed CSeq header.
|
||
|
malformed-header-expires
-
|
|
Action for malformed Expires header.
|
||
|
malformed-header-from
-
|
|
Action for malformed From header.
|
||
|
malformed-header-max-forwards
-
|
|
Action for malformed Max-Forwards header.
|
||
|
malformed-header-p-asserted-identity
-
|
|
Action for malformed P-Asserted-Identity header.
|
||
|
malformed-header-rack
-
|
|
Action for malformed RAck header.
|
||
|
malformed-header-record-route
-
|
|
Action for malformed Record-Route header.
|
||
|
malformed-header-route
-
|
|
Action for malformed Route header.
|
||
|
malformed-header-rseq
-
|
|
Action for malformed RSeq header.
|
||
|
malformed-header-sdp-a
-
|
|
Action for malformed SDP a line.
|
||
|
malformed-header-sdp-b
-
|
|
Action for malformed SDP b line.
|
||
|
malformed-header-sdp-c
-
|
|
Action for malformed SDP c line.
|
||
|
malformed-header-sdp-i
-
|
|
Action for malformed SDP i line.
|
||
|
malformed-header-sdp-k
-
|
|
Action for malformed SDP k line.
|
||
|
malformed-header-sdp-m
-
|
|
Action for malformed SDP m line.
|
||
|
malformed-header-sdp-o
-
|
|
Action for malformed SDP o line.
|
||
|
malformed-header-sdp-r
-
|
|
Action for malformed SDP r line.
|
||
|
malformed-header-sdp-s
-
|
|
Action for malformed SDP s line.
|
||
|
malformed-header-sdp-t
-
|
|
Action for malformed SDP t line.
|
||
|
malformed-header-sdp-v
-
|
|
Action for malformed SDP v line.
|
||
|
malformed-header-sdp-z
-
|
|
Action for malformed SDP z line.
|
||
|
malformed-header-to
-
|
|
Action for malformed To header.
|
||
|
malformed-header-via
-
|
|
Action for malformed VIA header.
|
||
|
malformed-request-line
-
|
|
Action for malformed request line.
|
||
|
max-body-length
-
|
Maximum SIP message body length (0 meaning no limit).
|
|||
|
max-dialogs
-
|
Maximum number of concurrent calls/dialogs (per policy).
|
|||
|
max-idle-dialogs
-
|
Maximum number established but idle dialogs to retain (per policy).
|
|||
|
max-line-length
-
|
Maximum SIP header line length (78-4096).
|
|||
|
message-rate
-
|
MESSAGE request rate limit (per second, per policy).
|
|||
|
nat-trace
-
|
|
Enable/disable preservation of original IP in SDP i line.
|
||
|
no-sdp-fixup
-
|
|
Enable/disable no SDP fix-up.
|
||
|
notify-rate
-
|
NOTIFY request rate limit (per second, per policy).
|
|||
|
open-contact-pinhole
-
|
|
Enable/disable open pinhole for non-REGISTER Contact port.
|
||
|
open-record-route-pinhole
-
|
|
Enable/disable open pinhole for Record-Route port.
|
||
|
open-register-pinhole
-
|
|
Enable/disable open pinhole for REGISTER Contact port.
|
||
|
open-via-pinhole
-
|
|
Enable/disable open pinhole for Via port.
|
||
|
options-rate
-
|
OPTIONS request rate limit (per second, per policy).
|
|||
|
prack-rate
-
|
PRACK request rate limit (per second, per policy).
|
|||
|
preserve-override
-
|
|
Override i line to preserve original IPS (default: append).
|
||
|
provisional-invite-expiry-time
-
|
Expiry time for provisional INVITE (10 - 3600 sec).
|
|||
|
publish-rate
-
|
PUBLISH request rate limit (per second, per policy).
|
|||
|
refer-rate
-
|
REFER request rate limit (per second, per policy).
|
|||
|
register-contact-trace
-
|
|
Enable/disable trace original IP/port within the contact header of REGISTER requests.
|
||
|
register-rate
-
|
REGISTER request rate limit (per second, per policy).
|
|||
|
rfc2543-branch
-
|
|
Enable/disable support via branch compliant with RFC 2543.
|
||
|
rtp
-
|
|
Enable/disable create pinholes for RTP traffic to traverse firewall.
|
||
|
ssl-algorithm
-
|
|
Relative strength of encryption algorithms accepted in negotiation.
|
||
|
ssl-auth-client
-
|
Require a client certificate and authenticate it with the peer/peergrp. Source user.peer.name user.peergrp.name.
|
|||
|
ssl-auth-server
-
|
Authenticate the server's certificate with the peer/peergrp. Source user.peer.name user.peergrp.name.
|
|||
|
ssl-client-certificate
-
|
Name of Certificate to offer to server if requested. Source vpn.certificate.local.name.
|
|||
|
ssl-client-renegotiation
-
|
|
Allow/block client renegotiation by server.
|
||
|
ssl-max-version
-
|
|
Highest SSL/TLS version to negotiate.
|
||
|
ssl-min-version
-
|
|
Lowest SSL/TLS version to negotiate.
|
||
|
ssl-mode
-
|
|
SSL/TLS mode for encryption & decryption of traffic.
|
||
|
ssl-pfs
-
|
|
SSL Perfect Forward Secrecy.
|
||
|
ssl-send-empty-frags
-
|
|
Send empty fragments to avoid attack on CBC IV (SSL 3.0 & TLS 1.0 only).
|
||
|
ssl-server-certificate
-
|
Name of Certificate return to the client in every SSL connection. Source vpn.certificate.local.name.
|
|||
|
status
-
|
|
Enable/disable SIP.
|
||
|
strict-register
-
|
|
Enable/disable only allow the registrar to connect.
|
||
|
subscribe-rate
-
|
SUBSCRIBE request rate limit (per second, per policy).
|
|||
|
unknown-header
-
|
|
Action for unknown SIP header.
|
||
|
update-rate
-
|
UPDATE request rate limit (per second, per policy).
|
|||
|
state
-
|
|
Indicates whether to create or remove the object
|
||
Notes¶
Note
Requires fortiosapi library developed by Fortinet
Run as a local_action in your playbook
Examples¶
- hosts: localhost
vars:
host: "192.168.122.40"
username: "admin"
password: ""
vdom: "root"
tasks:
- name: Configure VoIP profiles.
fortios_voip_profile:
host: "{{ host }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
https: "False"
voip_profile:
state: "present"
comment: "Comment."
name: "default_name_4"
sccp:
block-mcast: "disable"
log-call-summary: "disable"
log-violations: "disable"
max-calls: "9"
status: "disable"
verify-header: "disable"
sip:
ack-rate: "13"
block-ack: "disable"
block-bye: "disable"
block-cancel: "disable"
block-geo-red-options: "disable"
block-info: "disable"
block-invite: "disable"
block-long-lines: "disable"
block-message: "disable"
block-notify: "disable"
block-options: "disable"
block-prack: "disable"
block-publish: "disable"
block-refer: "disable"
block-register: "disable"
block-subscribe: "disable"
block-unknown: "disable"
block-update: "disable"
bye-rate: "31"
call-keepalive: "32"
cancel-rate: "33"
contact-fixup: "disable"
hnt-restrict-source-ip: "disable"
hosted-nat-traversal: "disable"
info-rate: "37"
invite-rate: "38"
ips-rtp: "disable"
log-call-summary: "disable"
log-violations: "disable"
malformed-header-allow: "discard"
malformed-header-call-id: "discard"
malformed-header-contact: "discard"
malformed-header-content-length: "discard"
malformed-header-content-type: "discard"
malformed-header-cseq: "discard"
malformed-header-expires: "discard"
malformed-header-from: "discard"
malformed-header-max-forwards: "discard"
malformed-header-p-asserted-identity: "discard"
malformed-header-rack: "discard"
malformed-header-record-route: "discard"
malformed-header-route: "discard"
malformed-header-rseq: "discard"
malformed-header-sdp-a: "discard"
malformed-header-sdp-b: "discard"
malformed-header-sdp-c: "discard"
malformed-header-sdp-i: "discard"
malformed-header-sdp-k: "discard"
malformed-header-sdp-m: "discard"
malformed-header-sdp-o: "discard"
malformed-header-sdp-r: "discard"
malformed-header-sdp-s: "discard"
malformed-header-sdp-t: "discard"
malformed-header-sdp-v: "discard"
malformed-header-sdp-z: "discard"
malformed-header-to: "discard"
malformed-header-via: "discard"
malformed-request-line: "discard"
max-body-length: "71"
max-dialogs: "72"
max-idle-dialogs: "73"
max-line-length: "74"
message-rate: "75"
nat-trace: "disable"
no-sdp-fixup: "disable"
notify-rate: "78"
open-contact-pinhole: "disable"
open-record-route-pinhole: "disable"
open-register-pinhole: "disable"
open-via-pinhole: "disable"
options-rate: "83"
prack-rate: "84"
preserve-override: "disable"
provisional-invite-expiry-time: "86"
publish-rate: "87"
refer-rate: "88"
register-contact-trace: "disable"
register-rate: "90"
rfc2543-branch: "disable"
rtp: "disable"
ssl-algorithm: "high"
ssl-auth-client: "<your_own_value> (source user.peer.name user.peergrp.name)"
ssl-auth-server: "<your_own_value> (source user.peer.name user.peergrp.name)"
ssl-client-certificate: "<your_own_value> (source vpn.certificate.local.name)"
ssl-client-renegotiation: "allow"
ssl-max-version: "ssl-3.0"
ssl-min-version: "ssl-3.0"
ssl-mode: "off"
ssl-pfs: "require"
ssl-send-empty-frags: "enable"
ssl-server-certificate: "<your_own_value> (source vpn.certificate.local.name)"
status: "disable"
strict-register: "disable"
subscribe-rate: "106"
unknown-header: "discard"
update-rate: "108"
Return Values¶
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
|
build
string
|
always |
Build number of the fortigate image
Sample:
1547
|
|
http_method
string
|
always |
Last method used to provision the content into FortiGate
Sample:
PUT
|
|
http_status
string
|
always |
Last result given by FortiGate on last operation applied
Sample:
200
|
|
mkey
string
|
success |
Master key (id) used in the last call to FortiGate
Sample:
id
|
|
name
string
|
always |
Name of the table used to fulfill the request
Sample:
urlfilter
|
|
path
string
|
always |
Path of the table used to fulfill the request
Sample:
webfilter
|
|
revision
string
|
always |
Internal revision number
Sample:
17.0.2.10658
|
|
serial
string
|
always |
Serial number of the unit
Sample:
FGVMEVYYQT3AB5352
|
|
status
string
|
always |
Indication of the operation's result
Sample:
success
|
|
vdom
string
|
always |
Virtual domain used
Sample:
root
|
|
version
string
|
always |
Version of the FortiGate
Sample:
v5.6.3
|
Status¶
This module is not guaranteed to have a backwards compatible interface. [preview]
This module is maintained by the Ansible Community. [community]