fortios_voip_profile – Configure VoIP profiles in Fortinet’s FortiOS and FortiGate

New in version 2.8.

Synopsis

  • This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify voip feature and profile category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.5

Requirements

The below requirements are needed on the host that executes this module.

  • fortiosapi>=0.9.8

Parameters

Parameter Choices/Defaults Comments
host
string
FortiOS or FortiGate IP address.
https
boolean
    Choices:
  • no
  • yes ←
Indicates if the requests towards FortiGate must use HTTPS protocol.
password
string
Default:
""
FortiOS or FortiGate password.
ssl_verify
boolean
added in 2.9
    Choices:
  • no
  • yes ←
Ensures FortiGate certificate must be verified by a proper CA.
state
string
added in 2.9
    Choices:
  • present
  • absent
Indicates whether to create or remove the object. This attribute was present already in previous version in a deeper level. It has been moved out to this outer level.
username
string
FortiOS or FortiGate username.
vdom
string
Default:
"root"
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.
voip_profile
dictionary
Default:
null
Configure VoIP profiles.
comment
string
Comment.
name
string / required
Profile name.
sccp
dictionary
SCCP.
block_mcast
string
    Choices:
  • disable
  • enable
Enable/disable block multicast RTP connections.
log_call_summary
string
    Choices:
  • disable
  • enable
Enable/disable log summary of SCCP calls.
log_violations
string
    Choices:
  • disable
  • enable
Enable/disable logging of SCCP violations.
max_calls
integer
Maximum calls per minute per SCCP client (max 65535).
status
string
    Choices:
  • disable
  • enable
Enable/disable SCCP.
verify_header
string
    Choices:
  • disable
  • enable
Enable/disable verify SCCP header content.
sip
dictionary
SIP.
ack_rate
integer
ACK request rate limit (per second, per policy).
block_ack
string
    Choices:
  • disable
  • enable
Enable/disable block ACK requests.
block_bye
string
    Choices:
  • disable
  • enable
Enable/disable block BYE requests.
block_cancel
string
    Choices:
  • disable
  • enable
Enable/disable block CANCEL requests.
block_geo_red_options
string
    Choices:
  • disable
  • enable
Enable/disable block OPTIONS requests, but OPTIONS requests still notify for redundancy.
block_info
string
    Choices:
  • disable
  • enable
Enable/disable block INFO requests.
block_invite
string
    Choices:
  • disable
  • enable
Enable/disable block INVITE requests.
block_long_lines
string
    Choices:
  • disable
  • enable
Enable/disable block requests with headers exceeding max-line-length.
block_message
string
    Choices:
  • disable
  • enable
Enable/disable block MESSAGE requests.
block_notify
string
    Choices:
  • disable
  • enable
Enable/disable block NOTIFY requests.
block_options
string
    Choices:
  • disable
  • enable
Enable/disable block OPTIONS requests and no OPTIONS as notifying message for redundancy either.
block_prack
string
    Choices:
  • disable
  • enable
Enable/disable block prack requests.
block_publish
string
    Choices:
  • disable
  • enable
Enable/disable block PUBLISH requests.
block_refer
string
    Choices:
  • disable
  • enable
Enable/disable block REFER requests.
block_register
string
    Choices:
  • disable
  • enable
Enable/disable block REGISTER requests.
block_subscribe
string
    Choices:
  • disable
  • enable
Enable/disable block SUBSCRIBE requests.
block_unknown
string
    Choices:
  • disable
  • enable
Block unrecognized SIP requests (enabled by default).
block_update
string
    Choices:
  • disable
  • enable
Enable/disable block UPDATE requests.
bye_rate
integer
BYE request rate limit (per second, per policy).
call_keepalive
integer
Continue tracking calls with no RTP for this many minutes.
cancel_rate
integer
CANCEL request rate limit (per second, per policy).
contact_fixup
string
    Choices:
  • disable
  • enable
Fixup contact anyway even if contact's IP:port doesn't match session's IP:port.
hnt_restrict_source_ip
string
    Choices:
  • disable
  • enable
Enable/disable restrict RTP source IP to be the same as SIP source IP when HNT is enabled.
hosted_nat_traversal
string
    Choices:
  • disable
  • enable
Hosted NAT Traversal (HNT).
info_rate
integer
INFO request rate limit (per second, per policy).
invite_rate
integer
INVITE request rate limit (per second, per policy).
ips_rtp
string
    Choices:
  • disable
  • enable
Enable/disable allow IPS on RTP.
log_call_summary
string
    Choices:
  • disable
  • enable
Enable/disable logging of SIP call summary.
log_violations
string
    Choices:
  • disable
  • enable
Enable/disable logging of SIP violations.
malformed_header_allow
string
    Choices:
  • discard
  • pass
  • respond
Action for malformed Allow header.
malformed_header_call_id
string
    Choices:
  • discard
  • pass
  • respond
Action for malformed Call-ID header.
malformed_header_contact
string
    Choices:
  • discard
  • pass
  • respond
Action for malformed Contact header.
malformed_header_content_length
string
    Choices:
  • discard
  • pass
  • respond
Action for malformed Content-Length header.
malformed_header_content_type
string
    Choices:
  • discard
  • pass
  • respond
Action for malformed Content-Type header.
malformed_header_cseq
string
    Choices:
  • discard
  • pass
  • respond
Action for malformed CSeq header.
malformed_header_expires
string
    Choices:
  • discard
  • pass
  • respond
Action for malformed Expires header.
malformed_header_from
string
    Choices:
  • discard
  • pass
  • respond
Action for malformed From header.
malformed_header_max_forwards
string
    Choices:
  • discard
  • pass
  • respond
Action for malformed Max-Forwards header.
malformed_header_p_asserted_identity
string
    Choices:
  • discard
  • pass
  • respond
Action for malformed P-Asserted-Identity header.
malformed_header_rack
string
    Choices:
  • discard
  • pass
  • respond
Action for malformed RAck header.
malformed_header_record_route
string
    Choices:
  • discard
  • pass
  • respond
Action for malformed Record-Route header.
malformed_header_route
string
    Choices:
  • discard
  • pass
  • respond
Action for malformed Route header.
malformed_header_rseq
string
    Choices:
  • discard
  • pass
  • respond
Action for malformed RSeq header.
malformed_header_sdp_a
string
    Choices:
  • discard
  • pass
  • respond
Action for malformed SDP a line.
malformed_header_sdp_b
string
    Choices:
  • discard
  • pass
  • respond
Action for malformed SDP b line.
malformed_header_sdp_c
string
    Choices:
  • discard
  • pass
  • respond
Action for malformed SDP c line.
malformed_header_sdp_i
string
    Choices:
  • discard
  • pass
  • respond
Action for malformed SDP i line.
malformed_header_sdp_k
string
    Choices:
  • discard
  • pass
  • respond
Action for malformed SDP k line.
malformed_header_sdp_m
string
    Choices:
  • discard
  • pass
  • respond
Action for malformed SDP m line.
malformed_header_sdp_o
string
    Choices:
  • discard
  • pass
  • respond
Action for malformed SDP o line.
malformed_header_sdp_r
string
    Choices:
  • discard
  • pass
  • respond
Action for malformed SDP r line.
malformed_header_sdp_s
string
    Choices:
  • discard
  • pass
  • respond
Action for malformed SDP s line.
malformed_header_sdp_t
string
    Choices:
  • discard
  • pass
  • respond
Action for malformed SDP t line.
malformed_header_sdp_v
string
    Choices:
  • discard
  • pass
  • respond
Action for malformed SDP v line.
malformed_header_sdp_z
string
    Choices:
  • discard
  • pass
  • respond
Action for malformed SDP z line.
malformed_header_to
string
    Choices:
  • discard
  • pass
  • respond
Action for malformed To header.
malformed_header_via
string
    Choices:
  • discard
  • pass
  • respond
Action for malformed VIA header.
malformed_request_line
string
    Choices:
  • discard
  • pass
  • respond
Action for malformed request line.
max_body_length
integer
Maximum SIP message body length (0 meaning no limit).
max_dialogs
integer
Maximum number of concurrent calls/dialogs (per policy).
max_idle_dialogs
integer
Maximum number established but idle dialogs to retain (per policy).
max_line_length
integer
Maximum SIP header line length (78-4096).
message_rate
integer
MESSAGE request rate limit (per second, per policy).
nat_trace
string
    Choices:
  • disable
  • enable
Enable/disable preservation of original IP in SDP i line.
no_sdp_fixup
string
    Choices:
  • disable
  • enable
Enable/disable no SDP fix-up.
notify_rate
integer
NOTIFY request rate limit (per second, per policy).
open_contact_pinhole
string
    Choices:
  • disable
  • enable
Enable/disable open pinhole for non-REGISTER Contact port.
open_record_route_pinhole
string
    Choices:
  • disable
  • enable
Enable/disable open pinhole for Record-Route port.
open_register_pinhole
string
    Choices:
  • disable
  • enable
Enable/disable open pinhole for REGISTER Contact port.
open_via_pinhole
string
    Choices:
  • disable
  • enable
Enable/disable open pinhole for Via port.
options_rate
integer
OPTIONS request rate limit (per second, per policy).
prack_rate
integer
PRACK request rate limit (per second, per policy).
preserve_override
string
    Choices:
  • disable
  • enable
Override i line to preserve original IPS .
provisional_invite_expiry_time
integer
Expiry time for provisional INVITE (10 - 3600 sec).
publish_rate
integer
PUBLISH request rate limit (per second, per policy).
refer_rate
integer
REFER request rate limit (per second, per policy).
register_contact_trace
string
    Choices:
  • disable
  • enable
Enable/disable trace original IP/port within the contact header of REGISTER requests.
register_rate
integer
REGISTER request rate limit (per second, per policy).
rfc2543_branch
string
    Choices:
  • disable
  • enable
Enable/disable support via branch compliant with RFC 2543.
rtp
string
    Choices:
  • disable
  • enable
Enable/disable create pinholes for RTP traffic to traverse firewall.
ssl_algorithm
string
    Choices:
  • high
  • medium
  • low
Relative strength of encryption algorithms accepted in negotiation.
ssl_auth_client
string
Require a client certificate and authenticate it with the peer/peergrp. Source user.peer.name user.peergrp.name.
ssl_auth_server
string
Authenticate the server's certificate with the peer/peergrp. Source user.peer.name user.peergrp.name.
ssl_client_certificate
string
Name of Certificate to offer to server if requested. Source vpn.certificate.local.name.
ssl_client_renegotiation
string
    Choices:
  • allow
  • deny
  • secure
Allow/block client renegotiation by server.
ssl_max_version
string
    Choices:
  • ssl-3.0
  • tls-1.0
  • tls-1.1
  • tls-1.2
Highest SSL/TLS version to negotiate.
ssl_min_version
string
    Choices:
  • ssl-3.0
  • tls-1.0
  • tls-1.1
  • tls-1.2
Lowest SSL/TLS version to negotiate.
ssl_mode
string
    Choices:
  • no
  • full
SSL/TLS mode for encryption & decryption of traffic.
ssl_pfs
string
    Choices:
  • require
  • deny
  • allow
SSL Perfect Forward Secrecy.
ssl_send_empty_frags
string
    Choices:
  • enable
  • disable
Send empty fragments to avoid attack on CBC IV (SSL 3.0 & TLS 1.0 only).
ssl_server_certificate
string
Name of Certificate return to the client in every SSL connection. Source vpn.certificate.local.name.
status
string
    Choices:
  • disable
  • enable
Enable/disable SIP.
strict_register
string
    Choices:
  • disable
  • enable
Enable/disable only allow the registrar to connect.
subscribe_rate
integer
SUBSCRIBE request rate limit (per second, per policy).
unknown_header
string
    Choices:
  • discard
  • pass
  • respond
Action for unknown SIP header.
update_rate
integer
UPDATE request rate limit (per second, per policy).
state
string
    Choices:
  • present
  • absent
Deprecated
Starting with Ansible 2.9 we recommend using the top-level 'state' parameter.

Indicates whether to create or remove the object.

Notes

Note

  • Requires fortiosapi library developed by Fortinet
  • Run as a local_action in your playbook

Examples

- hosts: localhost
  vars:
   host: "192.168.122.40"
   username: "admin"
   password: ""
   vdom: "root"
   ssl_verify: "False"
  tasks:
  - name: Configure VoIP profiles.
    fortios_voip_profile:
      host:  "{{ host }}"
      username: "{{ username }}"
      password: "{{ password }}"
      vdom:  "{{ vdom }}"
      https: "False"
      state: "present"
      voip_profile:
        comment: "Comment."
        name: "default_name_4"
        sccp:
            block_mcast: "disable"
            log_call_summary: "disable"
            log_violations: "disable"
            max_calls: "9"
            status: "disable"
            verify_header: "disable"
        sip:
            ack_rate: "13"
            block_ack: "disable"
            block_bye: "disable"
            block_cancel: "disable"
            block_geo_red_options: "disable"
            block_info: "disable"
            block_invite: "disable"
            block_long_lines: "disable"
            block_message: "disable"
            block_notify: "disable"
            block_options: "disable"
            block_prack: "disable"
            block_publish: "disable"
            block_refer: "disable"
            block_register: "disable"
            block_subscribe: "disable"
            block_unknown: "disable"
            block_update: "disable"
            bye_rate: "31"
            call_keepalive: "32"
            cancel_rate: "33"
            contact_fixup: "disable"
            hnt_restrict_source_ip: "disable"
            hosted_nat_traversal: "disable"
            info_rate: "37"
            invite_rate: "38"
            ips_rtp: "disable"
            log_call_summary: "disable"
            log_violations: "disable"
            malformed_header_allow: "discard"
            malformed_header_call_id: "discard"
            malformed_header_contact: "discard"
            malformed_header_content_length: "discard"
            malformed_header_content_type: "discard"
            malformed_header_cseq: "discard"
            malformed_header_expires: "discard"
            malformed_header_from: "discard"
            malformed_header_max_forwards: "discard"
            malformed_header_p_asserted_identity: "discard"
            malformed_header_rack: "discard"
            malformed_header_record_route: "discard"
            malformed_header_route: "discard"
            malformed_header_rseq: "discard"
            malformed_header_sdp_a: "discard"
            malformed_header_sdp_b: "discard"
            malformed_header_sdp_c: "discard"
            malformed_header_sdp_i: "discard"
            malformed_header_sdp_k: "discard"
            malformed_header_sdp_m: "discard"
            malformed_header_sdp_o: "discard"
            malformed_header_sdp_r: "discard"
            malformed_header_sdp_s: "discard"
            malformed_header_sdp_t: "discard"
            malformed_header_sdp_v: "discard"
            malformed_header_sdp_z: "discard"
            malformed_header_to: "discard"
            malformed_header_via: "discard"
            malformed_request_line: "discard"
            max_body_length: "71"
            max_dialogs: "72"
            max_idle_dialogs: "73"
            max_line_length: "74"
            message_rate: "75"
            nat_trace: "disable"
            no_sdp_fixup: "disable"
            notify_rate: "78"
            open_contact_pinhole: "disable"
            open_record_route_pinhole: "disable"
            open_register_pinhole: "disable"
            open_via_pinhole: "disable"
            options_rate: "83"
            prack_rate: "84"
            preserve_override: "disable"
            provisional_invite_expiry_time: "86"
            publish_rate: "87"
            refer_rate: "88"
            register_contact_trace: "disable"
            register_rate: "90"
            rfc2543_branch: "disable"
            rtp: "disable"
            ssl_algorithm: "high"
            ssl_auth_client: "<your_own_value> (source user.peer.name user.peergrp.name)"
            ssl_auth_server: "<your_own_value> (source user.peer.name user.peergrp.name)"
            ssl_client_certificate: "<your_own_value> (source vpn.certificate.local.name)"
            ssl_client_renegotiation: "allow"
            ssl_max_version: "ssl-3.0"
            ssl_min_version: "ssl-3.0"
            ssl_mode: "off"
            ssl_pfs: "require"
            ssl_send_empty_frags: "enable"
            ssl_server_certificate: "<your_own_value> (source vpn.certificate.local.name)"
            status: "disable"
            strict_register: "disable"
            subscribe_rate: "106"
            unknown_header: "discard"
            update_rate: "108"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
build
string
always
Build number of the fortigate image

Sample:
1547
http_method
string
always
Last method used to provision the content into FortiGate

Sample:
PUT
http_status
string
always
Last result given by FortiGate on last operation applied

Sample:
200
mkey
string
success
Master key (id) used in the last call to FortiGate

Sample:
id
name
string
always
Name of the table used to fulfill the request

Sample:
urlfilter
path
string
always
Path of the table used to fulfill the request

Sample:
webfilter
revision
string
always
Internal revision number

Sample:
17.0.2.10658
serial
string
always
Serial number of the unit

Sample:
FGVMEVYYQT3AB5352
status
string
always
Indication of the operation's result

Sample:
success
vdom
string
always
Virtual domain used

Sample:
root
version
string
always
Version of the FortiGate

Sample:
v5.6.3


Status

Authors

  • Miguel Angel Munoz (@mamunozgonzalez)
  • Nicolas Thomas (@thomnico)

Hint

If you notice any issues in this documentation, you can edit this document to improve it.